DBA who stole consumer data gets 57 months in prison, $4M bill

Computerworld - A former database administrator at Certegy Check Services Inc. who admitted last year that he stole the personal data of about 8.5 million consumers and sold the information to data brokers has been sentenced to 57 months in prison by a federal judge.

In addition, the judge ordered William G. Sullivan to pay almost $4 million in restitution to consumers victimized by the data-theft scheme and to submit to three years' of court supervision upon his release from prison. The sentence was handed down last Thursday in the U.S. District Court in Tampa, Fla.

Sullivan pleaded guilty to felony fraud charges last November, four months after the data thefts were disclosed by Certegy's parent company, Fidelity National Information Services Inc. As part of the plea agreement, prosecutors agreed to recommend a reduction from the maximum five-year sentence that Sullivan could have received.

Certegy, which is based in St. Petersburg, Fla., provides check-authorization services to financial institutions and merchants worldwide. According to court records, Sullivan, a resident of Florida's Pinellas County, systematically accessed Certegy's databases and downloaded consumer records over a five-year period starting in February 2002. The information that he stole included names, addresses, dates of birth, phone numbers, bank account as well as credit and debit card numbers, and payment card transaction data.

Sullivan admitted that he sold the data to an unidentified third party for a total of $580,000. The third party in turn sold the information to other data brokers. Sullivan even set up a company in Largo, Fla., called S&S Computer Services, which he used as a front to sell the stolen data on his own, according to the court records.

His actions were discovered when a retailer that uses Certegy's service reported seeing a correlation between a small number of check transactions and the subsequent receipt of telephone and direct-mail marketing solicitations by some of its customers.

Fidelity, which refers to itself as FIS and is a separate company from both Fidelity Investments Inc. and Fidelity National Financial Inc., initially said that about 2.3 million consumer records had been stolen. But in filings with the U.S. Securities and Exchange Commission three weeks after the initial disclosure, FIS increased the count of compromised records to as much as 8.5 million. However, the company claimed that the stolen information had been used purely for direct marketing purposes and not to commit any kind of financial fraud.

A California law firm quickly filed a class-action lawsuit against FIS and Certegy in connection with the data thefts. Certegy offered to settle the suit earlier this year, proposing a deal that would include one year's worth of free credit-monitoring services and limited amounts of identity theft insurance coverage and reimbursements for costs incurred as a result of the data breach.