A senior database administrator at payment firm Certegy Check Services secretly copied 2.3 million records containing bank-account and credit-card information and sold it to marketing firms, Fidelity National Information Services (FNIS), Certegy's parent company, said this week.
The incident came to light when one of Certegy's retail checking clients complained that marketing pitches appeared to be targeting its customers. FNIS conducted an investigation into its systems, but could not find evidence of intrusion, so the company requested that the U.S. Secret Service investigate the source of the marketing firm's information. The law-enforcement agency's queries pinpointed an employee at Certegy, who had apparently electronically copied the data and removed it physically from the company's offices.
So far, the information has only appeared to have been used for marketing purposes, Renz Nichols, president of Certegy Check Services, said in a statement on Tuesday.
"We have no reason to believe that the theft resulted in any subsequent fraudulent activity or financial damage to the consumer, and we are taking the necessary steps to see that any further use of the data stops," Nichols stated.
Data breaches have increasingly been in the news as more states require that companies notify consumers when personally-identifiable information is put at risk. Retail giant TJX Companies has come under fire since first announcing earlier this year that its lax security resulted in the theft of at least 45.6 million credit-card and debit-card numbers. The breach has resulted in significant credit card fraud, including fueling a scheme in Florida that cost businesses at least $8 million. A group of New England banks have sued the company for the cost of replacing debit cards whose accounts were compromised by the theft.
Marketing firms have also been criticized for their tactics in many cases. In April, an investigation found that student-loan lenders had improperly accessed government data on loan recipients for marketing purposes. A government taskforce has concluded that identity-theft laws and consumer-data protection statues need to be unified.
In the last incident, Certegy has filed a complaint in Florida against the former employee, has request that the marketing firms return the information, and is encouraging immediate prosecution. The company has also notified regulatory agencies, credit-card companies and credit-reporting agencies about the data theft.
Posted by: Robert Lemos