A California law firm has filed a class-action lawsuit against Certegy Check Services on behalf of the 8.5 million customers whose sensitive information was sold to direct marketers by a former employee of the check verification service.
The complaint alleges that Certegy, a wholly-owned subsidiary of Jacksonville, Fla.-based Fidelity National Information Services (FIS), did not institute adequate security controls to prevent the breach. The suit does not specify damages.
"Certegy and FIS have obligations to protect this data and keep it confidential," Eric Gibbs, a partner representing the plaintiffs, told SCMagazine.com today. "Their systems are set up in such a way, and the hiring is set up in such a way, that it looks like one individual was able to access it and walk away with it."
Gibbs is referring to William Sullivan, the former Certegy senior-level database administrator believed to be responsible for the theft. Sullivan is named in the legal complaint as one of the defendants, as is a Largo, Fla.-based company he reportedly owns, S&S Computer Services.
(Certegy has separately filed a civil lawsuit against Sullivan).
Since the breach was announced in early July, a number of customers who received notification letters have claimed they also have been victims of identity theft. Certegy officials have denied that any of the data has been used for fraudulent purposes.
An FIS spokeswoman did not return telephone calls seeking comment.
Gibbs said his firm interviewed about 100 people who received letters alerting them of the breach.
"Some people do believe that their confidential information has been accessed and possibly their accounts have been breached," he said. "Other people are concerned, but they don’t believe they’ve experienced that."
SC Magazine has received several emails from customers of stores, such as Bed Bath & Beyond, for which Certegy provides check-verification services, who have claimed fraudulent purchases have been posted to their banking and credit card accounts. Their stories first began appearing in online forums.
Joshua Cain of Denver recounted his experience in an email to SCMagazine: "I was in Las Vegas over the Memorial Day weekend, and as the slots sucked me dry, I had to use the ATM. No harm, I figured. When I returned home, I checked my bank balance and was overdrawn approximately $1,400, which would indicate a swing of approximately $1,500 (I had anticipated $100 left in that specific account)."
"Well, upon further investigation I was able to discern that the charges originated in France…while I was in Nevada," Cain continued. "I received a letter from [Certegy] approximately one month after I returned home. The letter told me that they didn’t believe that my checking account had been used for fraudulent activity, which I knew to be a complete lie, since I had already had to close my checking account. How is it that, as a consumer, I know that my account has been compromised, but one of the largest financial data companies in the country doesn’t know what’s happening? Or do they?"
The suit was initiated by a Los Angeles man, Theodore Borreson, who began receiving copious direct marketing and promotional offers through the mail and over the telephone in the days leading up to Certegy’s acknowledgement of the breach, according to a news release Wednesday from the law firm.
Click here to email reporter Dan Kaplan.