Fidelity National Information Services, a US-based financial-processing company, said today a senior-level database administrator at one of its subsidiaries stole 2.3 million consumer records containing credit card, bank account and other personal information.
"It's a reminder that the best security systems are not immune to rogue employees," said Renz Nichols, president of the subsidiary, Certegy Check Services, in a press conference today.
The company uncovered the actions of worker, who was terminated, in the beginning of May, Nichols said. He added that Certegy, at this stage of the investigation, believes that the database administrator didn't transmit the files electronically over a network but may have stolen them by storing them sometime earlier this year in a device that could be carried out the door.
He said Certegy is working with the Tampa office of the US Secret Service and police authorities in Florida to pursue prosecution of the individual, whom he declined to name.
However, a spokeswoman for Fidelity National Information Services has confirmed that the name of the ex-database administrator is William Sullivan, said to own a company called S&S Computer Services in Largo. Efforts to reach Sullivan and S&S Computer Services for comment were not successful.
The theft entails records, which include names, addresses, telephone numbers as well as bank account and credit card information. The database administrator allegedly sold this data for an undisclosed amount to a data broker, Certegy Check Services said.
The data broker in turn sold the information to various marketing firms. Certegy said the theft came to light when one of Certegy's cheque processing customers alerted Certegy to a correlation between a small number of check transactions and the receipt by the retailer's customers of direct telephone solicitations and mail-marketing materials.
Certegy said it launched an investigation with the help of the US Secret Service, which contacted the marketing companies to question them in order to trace the source of the data.
The US Secret Service was able to identify the company supplying the information, and Certegy and the Secret Service determined the company was owned and operated by a Certegy employee.
This employee had been a high-level worker at Certegy who was entrusted with defining and enforcing data-access rights. "We have five database administrators," Nichols said. "We are taking steps to know exactly what they are doing in these systems."
Certegy has taken legal action to compel marketing firms to purge the stolen data from their databases, though so far most have been cooperative without the need for legal pressure, the firm said.
So far, the investigation has not turned up evidence that the stolen data has been used for financial fraud or identity theft, Certegy said.
The firm is sending out letters to the 2.3 million individuals affected by the data breach. Certegy, which is implementing a fraud watch associated with the stolen records, has also notified credit reporting agencies TransUnion, Equifax and Experian of the incident, in addition to notifying Visa and MasterCard.