Admin to Plead Guilty in Theft of 8.5M Records from Database

A senior database administrator at a subsidiary of Fidelity National Information Services Inc. (FIS) who was accused of stealing about 8.5 million customer records and selling them to data brokers is expected to plead guilty Wednesday to felony fraud charges in U.S. District Court in Tampa, according to court documents.

William G. Sullivan has also agreed to pay court-ordered restitution to victims, cooperate with ongoing investigations and forfeit the more than US$105,000 he still has remaining from selling the stolen data. In exchange, according to a plea agreement also filed with the court, federal prosecutors are expected to recommend a reduction from the maximum five-year sentence that Sullivan could have gotten.

Sullivan worked as database administrator for Certegy Check Services Inc., a St. Petersburg, Fla.-based Fidelity subsidiary that provides a check-authorization service to financial institutions and merchants across the globe. FIS itself is a provider of transaction processing and related services to the financial industry. It is separate from the better-known Fidelity Investments.

Court documents described Sullivan as a resident of Pinellas County, Fla., who in his official capacity as database administrator had access to large amounts of confidential consumer data in Certegy’s databases. The consumer information included names, addresses, dates of birth, phone numbers, checking account numbers, credit and debit card numbers, and payment card transaction data.

Between February 2002 and August 2007, Sullivan allegedly accessed Certegy’s databases and systematically downloaded what were later found to be records belonging to about 8.5 million customers. Sullivan then allegedly sold the records to an as-yet-unindicted third party, who in turn sold the data to other brokers. In an apparent attempt to hide his tracks, Sullivan, in 2002 established a company in Largo, Fla., named S&S Computer Services, which he is accused of using as a front to sell the stolen data.

Sullivan was allegedly paid a total of $580,000 for the stolen data by the third party, who was termed a co-conspirator in court documents.

His actions were discovered when one of Certegy’s retail customers in early May reported a correlation between a "small amount" of check transactions and the receipt by the retailers’ customers of telephone and mailed marketing solicitations, FIS said in July.

Initially, the company said that only about 2.3 million records had been stolen. However, in filings with the U.S. Securities and Exchange Commission about two weeks later, FIS raised that number to 8.5 million. Of those records, about 5.7 million were checking account records and about 1.5 million included credit card data. The remaining records contained only identifying information, such as names, addresses, dates of birth and telephone numbers, FIS said in its SEC filing.

FIS claimed that the stolen information appeared to have been sold and used purely for direct marketing purposes and not for identity theft or other fraudulent purposes. That was not enough, however, to stop class-action lawsuits from being filed against the company. In August, a Los Angeles resident filed a class action suit seeking unspecified damages against Certegy for its alleged failure to properly protect consumer data and for failing to adequately monitor the actions of its employees.

Another class action lawsuit filed by an Austin resident also charged Certegy with, among other things, failing to implement adequate data security controls and not detecting or responding to the theft soon enough.

By Jaikumar Vijayan, Computerworld (US online)

Copyright © 2007 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)