July 09, 2007 (Computerworld) -- Call it a case of hiring a fox to guard the henhouse.
Fidelity National Information Services Inc. said last week that a senior database administrator responsible for defining and enforcing data access rights at one of its subsidiaries sold the personal information of about 2.3million consumers to a data broker. The broker in turn sold a subset of the data to “a limited number” of direct marketing companies, Fidelity National said.
The Jacksonville, Fla.-based company, which offers data processing and outsourcing services to financial institutions and other businesses, added that the stolen data included names, addresses, birth dates, and bank account and credit card information.
For now, at least, it appears that the companies that bought the information have used it mainly to send marketing solicitations to the affected individuals, according to Fidelity National. “We have no reason to believe that the theft resulted in any subsequent fraudulent activity,” said Renz Nichols, president of the company’s Certegy Check Services Inc. unit.
The database administrator has since been fired, and Fidelity National has filed a civil complaint in a court in St. Petersburg, Fla., against him and the companies that received the stolen data, seeking its return. Fidelity National said it also is “encouraging immediate prosecution” of the DBA by law enforcement authorities.
The data theft came to light after a retailer that uses Certegy’s check authorization service reported a correlation between transactions and the receipt of external marketing offers by its customers. Fidelity National called in the U.S. Secret Service, which found that the data had come from a company owned by the Certegy DBA.
“The external attacker gets all the ink,” said Andrew Jaquith, an analyst at Yankee Group Research Inc. But, he added, companies also need to pay close attention to workers with high levels of system privileges.