In one of this year's largest data breaches, financial processing company Fidelity National Information Services revealed on Tuesday that a subsidiary's employee stole 2.3 million consumer records containing credit card, bank account and other personal information.
Although Fidelity said the data was not used for identity theft or other fraudulent activity, it revealed that the employee sold it to a data broker, who then sold it to several direct marketing companies. Fidelity said in a prepared statement that about 2.2 million records stolen from the subsidiary, Certegy Check Services, contained bank account information; 99,000 contained credit card information.
This follows numerous other widely publicized leaks of personal information this year, including the loss of 45.7 million credit and debit card account numbers by the TJX companies in January. According to the Privacy Rights Clearinghouse, nearly 160 million records containing sensitive personal information have been involved in security breaches since the ChoicePoint incident in early 2005.
"I have to admit that I'm not convinced that actual breaches aren't more prevalent," Eric Maiwald, a senior analyst with the Burton Group, told SCMagazine.com. "I'm not at all convinced these didn't happen in the past, there just was no mechanism or requirement for companies to disclose."
Consumers whose data was stolen in the Certegy theft received "marketing solicitations," according to Renz Nichols, president of Certegy. The company said it has "no reason to believe" that any data lost in the breach was used in fraudulent activity.
According to Certegy, the perpetrator was a senior-level database administrator with rights to define and enforce data-access permissions. To avoid detection, the employee removed the information from Certegy's facility via physical devices, not electronic means.
Certegy said it has filed a civil complaint in St. Petersburg, Fla. against the employee, who has since been fired, and the marketing companies involved.
"An inside job is a difficult problem, in any case," noted Maiwald. "You have an individual who uses legitimate access to do something beyond what it should be able to do."
"How to prevent this? There's no single answer," he added.
He suggested companies perform not only pre-hire background checks of employees with access to sensitive data but "periodic, over-time checks," as well. Beyond that, he added, companies can "make sure employees have only least-privileges, and they should be auditing the various actions they're taking, especially [network and database] administrators."
Encrypting traffic in and out of databases containing sensitive data is another strategy financial services companies should consider, he said. That "gets tricky because database or systems administrators generally have lots of access -- access to different types of information is often key to doing their job -- and when you encrypt data to protect it from the prying eyes of administrators, it can [negatively affect] their job."