[Dataloss] (update) Fidelity National Information Services Announces Misappropriation...

[lyger]

(More details than you can shake a stick at.  It should also be noted 
that the "Fidelity" in this instance is NOT related to Fidelity 
Investments or their subsidiary, National Financial.)

http://money.cnn.com/news/newsfeeds/articles/prnewswire/CLTU02603072007-1.htm

Fidelity National Information Services, Inc. , announced today that its 
subsidiary, Certegy Check Services, Inc. ("Certegy"), a service provider 
to U.S. retail merchants, based in St. Petersburg, Florida, was victimized 
by a former employee who misappropriated and sold consumer information to 
a data broker who in turn sold a subset of that data to a limited number 
of direct marketing organizations. The incident does not involve any 
outside intrusion into, or compromise of, Certegy's technology systems.

"As a result of this apparent theft, the consumers affected received 
marketing solicitations from the companies that bought the data," said 
Renz Nichols, President of Certegy Check Services. "We have no reason to 
believe that the theft resulted in any subsequent fraudulent activity or 
financial damage to the consumer, and we are taking the necessary steps to 
see that any further use of the data stops."

Background

Certegy maintains bank account information in connection with its check 
authorization business that helps merchants to decide whether to accept 
checks as payment for goods and services. In addition, Certegy maintains 
check and credit card information in connection with its gaming operations 
that are designed to assist casinos in providing their customers with 
access to funds.

This theft came to light when one of Certegy's retail check processing 
customers alerted Certegy to a correlation between a small number of check 
transactions and the receipt by the retailer's customers of direct 
telephone solicitations and mailed marketing materials. Certegy launched 
an immediate investigation and was unable to detect any breach of its 
security systems and, thereafter, engaged a forensic investigator to 
validate its findings. Unable to detect any compromise in its firewalls 
and other system security measures, Certegy requested that the U.S. Secret 
Service contact the marketing companies in question to trace the source of 
the data. The Secret Service was able to identify the company supplying 
the information and, with further assistance from Certegy, determined that 
the company was owned and operated by a Certegy employee. The employee was 
a senior level database administrator who was entrusted with defining and 
enforcing data access rights. To avoid detection, the technician removed 
the information from Certegy's facility via physical processes; not 
electronic transmission.

[...]