Millions of Records Stolen from Fidelity Subsidiary

Call it the case of hiring a fox to guard the henhouse. A senior database administrator at a subsidiary of Fidelity National Information Services who was responsible for defining and enforcing data access rights at the company instead took data belonging to about 2.3 million consumers and sold it to a data broker.

The broker in turn sold a subset of the data to other marketing companies. The stolen data included names, addresses, birth dates, and bank account and credit card information, the company said in a statement released Tuesday.

For the moment, at least, it appears that the companies that bought the information have mainly used the data to send marketing solicitations to affected individuals, Fidelity said in its statement.

“We have no reason to believe that the theft resulted in any subsequent fraudulent activity or financial damage to the consumer,” Renz Nichols, president of Fidelity subsidiary Certegy Check Services, was quoted as saying in the release.

The database administrator, who has since been terminated, worked for Certegy, which provides a check-authorization service to help merchants decide whether to accept checks as payment for goods and services.

The theft was first noticed when one of Certegy’s retail customers in early May reported a correlation between a “small amount” of check transactions and the receipt by the retailers’ customers of telephone and mailed marketing solicitations, Fidelity said.

When an internal Certegy investigation prompted by the complaint failed to find any evidence of a computer breach, the company asked the U.S. Secret Service to contact the companies sending the solicitations to trace the data source.

The investigation showed that the source of the data was a company owned by the Certegy database administrator who had also stolen the data. To avoid detection, the administrator appears to have downloaded the data to a storage device rather than transmit it electronically. It wasn’t until the middle of last week or so that the full extent of the theft was discovered, a Fidelity spokeswoman said.

Certegy has begun notifying the 2.3 million affected customers about the potential compromise of their data, the spokeswoman said. It has also filed a civil complaint in St. Petersburg, Fla., against the database administrator and the companies that received the stolen data asking them to return it, she said.

In a statement, Fidelity President and CEO Lee Kennedy expressed his “deep sadness and heartfelt apology” over the incident. “We will do everything possible to ensure no consumer is harmed because of this horrible betrayal,” he said.

—Jaikumar Vijayan, Computerworld (US online)