Certegy's ID breach lost 8.5 million names
In an updated filing with the Securities and Exchange Commission, Fidelity National Information Services revealed that about 8.5 million consumer records were stolen at the time of a data breach at subsidiary company Certegy.
The company previously reported only 2.3 million were stolen.
According to a civil complaint filed by Certegy in the Circuit Court of the Sixth Judicial Circuit in St. Petersburg, FL, the employee was senior level database administrator William G. Sullivan, who had been employed by the company for seven years and who was entrusted with defining and enforcing data access rights.
According to the initial filing, Sullivan obtained information from Certegy's database. It said either individually or through Sullivan's wholly owned entity, S&S, he was paid for the information by list broker JAM Marketing Inc. JAM went on to disseminate the misappropriated information to other direct marketing firms, including Strategia Marketing LLC, Data Secure IP LLC, MC List Escrow Inc.; Quality Resources Inc.; Whitehat.com Inc; and Quality Teleservices Management Inc., doing business as Custom Response Teleservices.
In the court document, Certegy said that the broker and the direct-marketing companies were not aware that the information had been stolen.
"To date, after elimination of duplications and invalid data, the company has determined that approximately 8.5 million consumer records were stolen," the new SEC filing says. "Some of these records contained only identifying information, for example, name, address, telephone number and, in some cases, date of birth."
About 5.7 million of the records included checking account records and about 1.5 million included credit card records, according to the company.
Certegy and Fidelity National Information Services did not return calls and e-mails.
"This is an incremental increase of approximately 3.5 million checking account records and approximately 1.4 million credit card records over our announcement on July 3, 2007," the filing said.
The company has determined that a portion of the stolen credit card information was derived from its credit card issuance business.
Because the investigation is continuing, it is possible that more records may be identified in the future, according to the filing.
There is no evidence of the stolen data being used for anything other than marketing purposes.
The company does not expect significant liability to consumers or institutions for financial fraud.However, it said there can be no assurance that this matter will not result in fines or other consequences that adversely impact the company or its relationship with governing organizations, customers or regulators.