Theft of 2.3 Million Certegy Records Triggers Debate over Inside Jobs

Payment companies devote countless hours and millions of dollars to protecting sensitive customer and payment data from outside computer hackers, but the theft of 2.3 million customer records announced today by check and card processor Fidelity National Information Services Inc. (FIS) shows that employee theft remains a serious?and difficult?problem to eliminate. According to a release from Jacksonville, Fla.-based FIS, a senior-level database administrator authorized to access customer records removed the records from FIS's St. Petersburg, Fla.-based Certegy Check Services unit physically to avoid detection. The records involved 2.2 million bank-account files and 99,000 records with credit card information. The employee, now fired, allegedly sold the information to a data broker, who in turn sold a subset of it to “a limited number” of direct-marketing firms, according to FIS. No fraud involving the stolen data has been reported, Certegy Check Services president Renz Nichols said in a release. The U.S. Secret Service and local law-enforcement are investigating to establish details, including exactly when the theft occurred. This latest data theft is just the latest in a long string of such incidents, though most have involved apparent outside breaches of computer systems with payment and customer data. This biggest was the one announced in January by The TJX Cos. that compromised more than 45 million cards (Digital Transactions News, Jan. 22). The Certegy theft immediately triggered a debate among analysts and security consultants about what can be done to monitor those entrusted with monitoring data. “There's really no playbook for how a lot of these things get done,” says Brian Riley, senior analyst at Needham, Mass.-based TowerGroup Inc. “There's still going to always be vulnerabilities.” But researcher Avivah Litan, vice president at Stamford, Conn.-based Gartner Inc., says a number of new software programs have come to market in recent years that make monitoring of those entrusted with data security easier. These tools analyze database activity, e-mail attachments, and many other systems and activities for suspicious activities. The Sarbanes-Oxley Act of 2002, which imposed new fraud-control responsibilities on corporations, created a market for many of these programs. “This is a classical case of an individual having privileged access and at the same time not having anyone monitor that access,” she says. “No one was watching his access.” (A FIS spokesperson could not be reached for comment.) According to security researcher Larry Ponemon, founder and chairman of the Traverse City, Mich.-based Ponemon Institute, negligence in data management happens much more frequently than employee theft, but such thefts “can be extraordinarily costly. There needs to be a lot of vetting.” Certegy maintains bank-account data as part of its check-authorization service for retailers, and it keeps bank and credit card information on behalf of casinos that provide funding to their customers. Certegy discovered the theft after a retail client reported a correlation between a small number of check transactions and the receipt by its customers of telephone and direct-mail marketing solicitations. Certegy says it immediately started inspecting its security systems, and even hired a forensic investigator. But further inspection, including that of firewalls, still showed no breach, so Certegy asked the Secret Service to contact the marketing companies in question to trace the source of the data. It turned out that the company supplying the data to the brokers allegedly was owned and operated by the Certegy database administrator, who was entrusted to define and enforce data-access rights. Certegy did not identify the former employee, but, according to the Reuters news service, a lawsuit Certegy filed Monday in St. Petersburg names a William Sullivan as the former employee in question. Certegy is suing Sullivan and eight marketing companies in a Florida state court to halt any improper use of the data and to obtain the names of those to whom they may have been released. The suit seeks actual and punitive damages. The misappropriated information included names, addresses, and telephone numbers, and in many cases dates of birth as well as bank-account and credit card data, according to FIS. Besides aiding law-enforcement officials, Certegy says it has alerted Visa, MasterCard and the three major credit-reporting agencies, and will be personally notifying all affected consumers.