back to article Fidelity employee steals 2.3 million consumer records

Fidelity National Information Services, the major US financial processing company, said today a senior level database administrator at one of its subsidiaries stole 2.3 million consumer records containing bank account and credit card information as well as other personal information. The data was commandeered by an unnamed, now …

COMMENTS

This topic is closed for new posts.
  1. Ed

    I'm impressed!

    That's an impressive number of people's details to steal. Its remarkable that companies still get away with such negligence with almost no regulatory come-back...

  2. Adrian Crooks

    Nothing impressive, at least they apologized

    This was an inside job so I don't blame them for negligence. Any company can run as many background checks and employee evaluations as they want, but a bad seed with the right access is untouchable unless/until someone else finds out.

  3. RichardB

    The really important info is missing...

    ...how much did he get for it?!

  4. Pascal Monett Silver badge

    Hey wait a minute

    I'm first in line to bash a company for a stolen laptop with personal details, but hey, this time it's a "senior level database administrator" that made off with company data.

    An admin is one of the most crucial, security-sensitive jobs there is. An admin can get his hands on just about anything, and companies everywhere live in fear of not being able to trust their own admin.

    There is nothing you can do against an admin that he won't find out sooner or later. Either you trust him, or you fire him.

    This despicable individual abused his employer's trust to make himself some fast money. Can't blame the company on that one.

  5. James Cleveland

    Also

    The company is being open and honest and apologetic about the situation. They deserve credit for this. There really isn't much they could have done to prevent this.

  6. Jan Buys

    Just wondering...

    how they knew that guy did it?

  7. Anonymous Coward
    Anonymous Coward

    Wait a minute II

    Has nobody heard of auditing. My company specifically audits ALL access to personal/consumer data. Any out of the ordinary behaviour that gets logged is instantly looked at.

    So, yes, I blame the company. It is their responsibility to ensure data is protected.

  8. Martin Benson

    A civil complaint...?

    >>Certegy has filed a civil complaint against the former employee and the marketing firms they believe purchased the data.

    A civil complaint? Why on earth isn't he being prosecuted? To my mind, he's as guilty of theft as if he'd stolen a truckload of laptops and flogged them.

  9. Doc Farmer

    Earth to Florida's State Prosecutor...

    TOBAL (There Oughta Be A Law) to cover the trafficking of stolen merchandise, receipt of stolen merchandise, grand theft (depending on how much this jerk sold the data for), privacy violations, etc. Also, since Fidelity is covering banking data, I could see how prosecutions could occur against this jerk for violating FFIEC and OCC regs. Get off your butt and start the paperwork already!

    The Payment Card Industry (PCI) should also take steps to sue the excrement out of the thief AND the recipient companies, to make it known that this sort of stuff will cause severe financial repercussions.

  10. Anonymous Coward
    Anonymous Coward

    Wait a minute III

    >> Has nobody heard of auditing. My company specifically audits ALL access to personal/consumer data. Any out of the ordinary behaviour that gets logged is instantly looked at.

    Blind faith, I'm afraid. Backup tapes can be swapped or duplicated (80GB on a DAT160 tape the size of a box of Swan Vestas), copies made from legitimate off-line instances (data warehouses, developer environments, etc.).

    Although companies can monitor every keystroke made by their drones and non-teccies, they will always have to trust a core team of senior administrators and developers.

  11. Nexox Enigma

    Re: Wait a minute II

    So, assuming that your admin cannot alter the audit routines or the recorded data, you're just passing the power down to an auditor. At some point you have to have someone with the power, and you have to be able to trust them.

    And we all know that any BOFH worth his impressive consulting fees has a whole list of ways to get around an audit. What if the database is stored on a mirrored array and he simply swaps the drives around such that he ends up with a whole mirrored set? What if he has the passwords of a whole lot of users so that he can distribute his database calls over a large population segment so that analysis is harder to perform? What if he just sniffs the data going over the wire when people access records legitimately?

    You really just have to have a trustworthy admin.

  12. Anonymous Coward
    Anonymous Coward

    Simon said!

    The BOFH shows us how (-:

    "Suspend auditing, strip the evidence from the audit file, recreate false evidence to cover up the gaps when the evidence disappeared, possibly tamper with the system time, insert false audit records to cover the time lapse where the auditing was suspended, untamper with the system time and then resume auditing. Off the top of my head of course."

    "And how long would that take?"

    "Oh, the commonplace user would take days - with mistakes, etc. - to do all that."

    "And you?"

    "I usually do it while the PFY’s getting a coffee. Mind you, I do have a script that does most of it…"

  13. Dillon Pyron

    Which Fidelity?

    Does Fidelity Financial Services own this company? I have an account with Fidelity Investments. Should I call my account manager? WTH, I will, any way.

  14. Dillon Pyron

    Never mind

    "That is not us at all, no need to panic"

  15. John A Blackley

    Just not getting it

    "“We have no reason to believe that the theft resulted in any subsequent fraudulent activity or financial damage to the consumer,"

    Yes you do. For goodness sake, have a thought.

This topic is closed for new posts.

Other stories you might like