The massive data security breach that Fidelity National Information Services Inc. disclosed Tuesday has apparently not led to any cases of fraud, but experts said it is noteworthy for two reasons.
The incident is a rare example of large-scale data theft by a company insider, and indicates that sellers of stolen information are learning how to find buyers even if they have no criminal contacts.
Many of the big breaches reported to date have been either accidents or the work of outside hackers who used the stolen consumer information for identity theft. In this case the employee sold the files to a data broker, which in turn passed them on to several marketing companies.
Experts said breaches masterminded by insiders are rare, as is the sale of customer information to marketers, but they said that the Fidelity case is a sign that more people are becoming aware of the value of such data and that the market for these valuable files could be expanding.
Fidelity announced Tuesday that a database administrator for its Certegy Check Services Inc. subsidiary, who was fired last week, had stolen 2.3 million customer account numbers.
Renz Nichols, Certegy's president, said there is no indication that the information has been used for fraud. He also said that the data broker and marketers are cooperating with an investigation.
"What we think," Mr. Nichols said on a conference call Tuesday, is that the broker "only sold, in fact, the last four digits" of the account numbers. The data included 2.2 million bank account numbers and 99,000 credit card account numbers.
George Tubin, a senior analyst at TowerGroup Inc., an independent research firm owned by MasterCard Inc., said that large insider breaches are rare. But financial companies need to be aware of the growing market for this data, he warned. "As time goes on, the value of that data is going to increase."
During the call Mr. Nichols did not identify any of the parties involved in the case. But a civil complaint filed Monday named William G. Sullivan of Pinellas County, Fla., as the perpetrator. According to the filing, Mr. Sullivan established a company called S&S Computer Services Inc. to sell the information he allegedly took, and the buyer was Jam Marketing Inc. of Seminole, Fla., which paid him a "substantial consideration."
Directory assistance had no listing for a William G. Sullivan. According to Florida's secretary of state, Jam Marketing is owned by Michael S. Currier, but directory assistance has no listing for the company. The corporate address on file is a residence, and Mr. Currier's phone number is unlisted.
Fidelity said the breach dates to January. To avoid electronic detection, Mr. Sullivan removed the data "via physical processes," the company said, though Mr. Nichols would not elaborate on this.
Fidelity has contacted the card associations and credit bureaus and is establishing a way for banks to learn if their accounts were affected. It also plans to notify consumers.
Fidelity became aware of the breach on May 1, when it was contacted by one of its retail check processing clients. That retailer's customers had complained about direct marketing calls and mailings, and the merchant eventually found that the customers had all used checks at its stores.
Fidelity found no evidence that its network had been penetrated. With the help of the Secret Service, it determined that Mr. Sullivan had accessed the data improperly.
Mr. Nichols said that only five employees had this level of access and that all - including Mr. Sullivan, who joined the company in 1998 - had undergone background checks when they were hired. The remaining four have been put under extra scrutiny as a precaution, though Mr. Nichols would not discuss the new measures.
John Joyce, the special agent in charge of the Secret Service's Tampa field office, said Tuesday that the investigation was ongoing and that Mr. Sullivan had not been charged with any criminal violations. "At this point we're not in a position to charge anybody," he said.
The civil filing accused Mr. Sullivan of an "egregious breach of his duty," and asked for unspecified damages. The suit also asked for an injunction barring the marketing companies that received the data from using it.
Avivah Litan, a vice president and research director at the market research company Gartner Inc., said that she knew of no incidents where an employee had sold customer data to marketers. She warned that the data could eventually end up used in fraud cases.
Even if the companies delete the data as requested, "there could be copies that were distributed," Ms. Litan said.
Fidelity "should be worried. The story could just be beginning."
