Fidelity: Employee stole, sold 2.3 million consumer records

Share this article:

In one of this year's largest data breaches, financial processing company Fidelity National Information Services revealed on Tuesday that a subsidiary's employee stole 2.3 million consumer records containing credit card, bank account and other personal information.

Although Fidelity said the data was not used for identity theft or other fraudulent activity, it revealed that the employee sold it to a data broker, who then sold it to several direct marketing companies. Fidelity said in a prepared statement that about 2.2 million records stolen from the subsidiary, Certegy Check Services, contained bank account information; 99,000 contained credit card information.

This follows numerous other widely publicized leaks of personal information this year, including the loss of 45.7 million credit and debit card account numbers by the TJX companies in January. According to the Privacy Rights Clearinghouse, nearly 160 million records containing sensitive personal information have been involved in security breaches since the ChoicePoint incident in early 2005.

"I have to admit that I'm not convinced that actual breaches aren't more prevalent," Eric Maiwald, a senior analyst with the Burton Group, told "I'm not at all convinced these didn't happen in the past, there just was no mechanism or requirement for companies to disclose."

Consumers whose data was stolen in the Certegy theft received "marketing solicitations," according to Renz Nichols, president of Certegy. The company said it has "no reason to believe" that any data lost in the breach was used in fraudulent activity.

According to Certegy, the perpetrator was a senior-level database administrator with rights to define and enforce data-access permissions. To avoid detection, the employee removed the information from Certegy's facility via physical devices, not electronic means.

Certegy said it has filed a civil complaint in St. Petersburg, Fla. against the employee, who has since been fired, and the marketing companies involved.

"An inside job is a difficult problem, in any case," noted Maiwald. "You have an individual who uses legitimate access to do something beyond what it should be able to do."

"How to prevent this? There's no single answer," he added.

He suggested companies perform not only pre-hire background checks of employees with access to sensitive data but "periodic, over-time checks," as well. Beyond that, he added, companies can "make sure employees have only least-privileges, and they should be auditing the various actions they're taking, especially [network and database] administrators."

Encrypting traffic in and out of databases containing sensitive data is another strategy financial services companies should consider, he said. That "gets tricky because database or systems administrators generally have lots of access -- access to different types of information is often key to doing their job -- and when you encrypt data to protect it from the prying eyes of administrators, it can [negatively affect] their job."

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters


More in News

Email promises free pizza, ensnares victims in Asprox botnet instead

Email promises free pizza, ensnares victims in Asprox ...

Cloudmark came upon an email that offers free pizza, but clicking on the link to get the coupon ends with victims being ensnared in a botnet.

Report: most orgs lacking in response team, policies to address cyber incidents

In its Q3 threat intelligence report, Solutionary learned that 75 percent of organizations it assisted had no response team or policies and procedures to address cyber incidents.

Flash redirect campaign impacts Carnegie Mellon page, leads to Angler EK

Flash redirect campaign impacts Carnegie Mellon page, leads ...

Malwarebytes found that, since early July, thousands of sites had been targeted in the campaign.