Data is sold to Marketing Solicitation Companies; No Fraudulent Activity of Identity Theft Detected. Secret Service and Local Law Enforcement Investigations are Ongoing
Fidelity National Information Services, Inc. , announced today that its subsidiary, Certegy Check Services, Inc. ("Certegy"), a service provider to U.S. retail merchants, based in St. Petersburg, Florida, was victimized by a former employee who misappropriated and sold consumer information to a data broker who in turn sold a subset of that data to a limited number of direct marketing organizations. The incident does not involve any outside intrusion into, or compromise of, Certegy's technology systems.
"As a result of this apparent theft, the consumers affected received marketing solicitations from the companies that bought the data," said Renz Nichols, President of Certegy Check Services. "We have no reason to believe that the theft resulted in any subsequent fraudulent activity or financial damage to the consumer, and we are taking the necessary steps to see that any further use of the data stops."
Background
Certegy maintains bank account information in connection with its check authorization business that helps merchants to decide whether to accept checks as payment for goods and services. In addition, Certegy maintains check and credit card information in connection with its gaming operations that are designed to assist casinos in providing their customers with access to funds.
This theft came to light when one of Certegy's retail check processing customers alerted Certegy to a correlation between a small number of check transactions and the receipt by the retailer's customers of direct telephone solicitations and mailed marketing materials. Certegy launched an immediate investigation and was unable to detect any breach of its security systems and, thereafter, engaged a forensic investigator to validate its findings. Unable to detect any compromise in its firewalls and other system security measures, Certegy requested that the U.S. Secret Service contact the marketing companies in question to trace the source of the data. The Secret Service was able to identify the company supplying the information and, with further assistance from Certegy, determined that the company was owned and operated by a Certegy employee. The employee was a senior level database administrator who was entrusted with defining and enforcing data access rights. To avoid detection, the technician removed the information from Certegy's facility via physical processes; not electronic transmission.
Employee Betrayal
Although the employee was authorized to access the consumer information in order to perform his job responsibilities, the removal and unlawful use of that information were, obviously, outside the scope of his employment and Certegy's knowledge. This unlawful transfer of company information violated the individual's confidentiality commitment to Certegy and is a severe breach of fiduciary duty. As a result, the employee was terminated. Certegy is taking appropriate steps to hold the dismissed employee responsible for his actions.
No Evidence of Fraud
The misappropriated information included names, addresses, and telephone numbers as well as, in many cases, dates of birth and bank account or credit card information. Approximately 2.3 million records are believed to be at issue, with approximately 2.2 million containing bank account information and 99,000 containing credit card information. The company is still investigating the time period over which the misappropriations occurred.
While Certegy's investigation continues, it has seen no evidence that bank account or credit card information was used for anything other than marketing purposes, and is unaware of any instance of identity theft or fraudulent financial activity. Most importantly, Certegy is doing everything possible to ensure that any inconvenience experienced by consumers is minimized.
Immediate Action
Certegy is committed to a disciplined action plan designed to minimize the impact of the misappropriated consumer information, particularly to consumers.
- Certegy has filed a civil complaint in St. Petersburg, Florida against
the former employee and the marketing companies believed to have
received the misappropriated data seeking retrieval of all consumer
information as well as an injunction against any use.
- Certegy has contacted the applicable marketing companies in order to
obtain the return of all consumer information.
- Certegy proactively engaged law enforcement and is encouraging
immediate prosecution.
- Certegy is in the process of making any required notifications to
governing state regulatory agencies.
- Certegy has alerted the nation's three major credit reporting agencies,
TransUnion, Equifax and Experian.
- Certegy has notified Visa and MasterCard of the incident.
- Certegy is establishing a procedure for financial institutions to
obtain information about their customers' accounts so that they can
place them on an active fraud watch.
- Certegy will be personally notifying all affected consumers of this
misappropriation, and establishing a toll-free hotline to answer
consumer questions.
- Certegy has implemented a fraud watch on its internal systems for those
checking accounts that are implicated.
- Certegy continually reviews its security policies, and is taking steps
to help prevent future incidents.
- Certegy continues to confirm that there was no financial or identity
theft caused by this incident; only the improper use of information for
telemarketing and mail solicitations.
Based on the investigation to date, Certegy does not expect that the costs to implement this action plan will materially impact financial results.
Certegy will host a news conference via telephone (800) 289-0544 at 9:30 am
ET, Tuesday, July 3, 2007.
Conclusion
Certegy is a conscientious company that takes its responsibility to protect and preserve consumer information very seriously. It carefully selects and screens employee candidates, monitors and supervises employees, and maintains a whistleblower hotline for employees to report fraudulent or criminal activity. Certegy also encourages its employees to report any improper behavior they witness. We regret this unfortunate incident happened despite all of these efforts. Resolving this matter and implementing additional safeguards is the company's highest priority.
"I am extremely proud of the employees and law enforcement officials who are working diligently to uncover the facts in this incident. On behalf of Fidelity National Information Services and our Certegy subsidiary, I want to express my deep sadness and heartfelt apology over this incident," said Lee A. Kennedy, President and Chief Executive Officer, Fidelity National Information Services. "We will do everything possible to ensure no consumer is harmed because of this horrible betrayal." - PRNewsWire
