Fidelity’s Data Theft Yet Another Signpost on Insider Threat

The recent announcement by Fidelity National Information Services, a financial processing company, that one of its employees at a subsidiary stole 2.3 million consumer records containing credit card, bank account and other personal information is yet another drop in the bucket of data leakage. And it portends the further need for companies, including financial institutions to know what employees, contractors and third parties are doing with the data entrusted to them.

What happened in Fidelity’s case is an old story of greed and disgruntlement joining in one moment, the employee, described by Fidelity as a now “former employee” sold the information to an unidentified data broker. The broker then sold it to several direct marketing companies, but the data was not used in identity theft or other fraudulent financial activity, officials from Fidelity subsidiary Certegy Check Services Inc. said.

About 2.2 million records stolen from Certegy contained bank account information and nearly 100,000 contained credit card information, the company said. In all, nearly 2.3 millions records were taken.

As a result of the theft, the consumers affected received marketing solicitations from the companies that bought the data. At this point, Certegy officials believe that is the extent of any damage to the public. The company said it has found no fraudulent use of the information.

Certegy officials said they had contacted the data broker and the marketing companies and believed it would be able to get the data back and prevent its future use. The broker and the companies did not know they were buying stolen information, officials said.

Certegy will notify all affected consumers of the theft and has contacted major credit agencies, the company said.The employee, whose name was not released, was fired.

Bonnie Kramer, Chief Operating Officer at the Financial Service Centers Cooperative (FSCC), in San Dimas, CA, has a different take on the threat of insiders and how financial institutions should handle it. Kramer has her own story of identity theft, as one of FSCC’s credit unions in its network of 300 credit unions uncovered identity theft that was traced back to an internal source. FSCC’s 300 credit unions have an average asset size of $445 million and represent 12 million members. “We saw that it looked like there was a lot of internal fraud going on. We then implemented encryption and brought a monitoring tool on board to protect data and transactions," she explained.

She said any personally identifiable information held electronically on databases is encrypted. Encryption is one action that FSCC recommends to its credit unions, Kramer said.

Kramer compared a financial institution’s networks to a pair of red “Long Johns,” “Everything is buttoned up in the front, with firewalls and an IDS and the network is protected from outsiders. But what about the back end? Is the back flap buttoned up so nothing leaks out of your organization?” she said.

Kramer concluded, “If more institutions were using monitoring tools that they wouldn’t be suffering as many data breaches as they already have. I like the idea that we’re ahead of the curve.”