Database admin steals 2.3M consumer records at Fidelity National subsidiary

Computerworld - Call it the case of hiring a fox to guard the hen house. A senior database administrator at a subsidiary of Fidelity National Information Services Inc. who was responsible for defining and enforcing data access rights at the company instead took data belonging to about 2.3 million consumers and sold it to a data broker.

The broker in turn sold a subset of the data to other marketing companies. The stolen data included names, addresses, birth dates, bank account and credit card information, the company said in a statement released today.

For the moment at least, it appears that the companies that bought the information have mainly used the data to send marketing solicitations to affected individuals, Fidelity said in its statement.

Fidelity National Information Services describes itself as a provider of "core financial institution processing, card issuer and transaction processing services, mortgage loan processing and related information products and outsourcing services to financial institutions, retailers, mortgage lenders and real estate professionals." It is separate from the better-known Fidelity Investments.

"We have no reason to believe that the theft resulted in any subsequent fraudulent activity or financial damage to the consumer," Renz Nichols, president of Fidelity subsidiary Certegy Check Services Inc. was quoted as saying in the release.

The database administrator, who has since been terminated, worked for Certegy, which provides a check-authorization service to help merchants decide whether to accept checks as payment for goods and service.

The theft was first noticed when one of Certegy's retail customers in early May reported a correlation between a "small amount" of check transactions and the receipt by the retailers' customers of telephone and mailed marketing solicitations, Fidelity said.

When an internal Certegy investigation prompted by the compliant failed to find any evidence of a computer breach, the company asked the U.S. Secret Service to contact the companies sending the solicitations to trace the data source.

The investigation showed that the source of the data was a company owned by the Certegy database administrator who had also stolen the data. To avoid detection, the administrator appears to have downloaded the data to a storage device rather than transmit it electronically. It wasn't until the middle of last week or so that the full extent of the theft was discovered, a Fidelity spokeswoman said this morning.

Certegy has begun notifying the 2.3 million affected customers about the potential compromise of their data, the spokeswoman said. It has also filed a civil complaint in St. Petersburg, Fla., against the database administrator and the companies that received the stolen data asking them to return it, she said.

In a statement, Fidelity president and CEO Lee Kennedy expressed his "deep sadness and heartfelt apology" over the incident. "We will do everything possible to ensure no consumer is harmed because of this horrible betrayal," he said.

Read more about security in Computerworld's Security Knowledge Center.