A class action lawsuit has been filed against Fidelity National Information Services following the theft of 8.5 million customer records at its Certegy unit by a former database administrator who sold the information to data brokers that in turn sold it on to direct marketers.
Fidelity said in July that a former employee at its Certegy unit stole 2.3 million customer records. However, according to a 25 July Securities and Exchange Commission filing, Fidelity said an on-going investigation into the incident found that approximately 8.5 million consumer records were stolen - over three times the original estimate.
Around 5.7 million of the records included chequing account records, while approximately 1.5 million included confidential credit card information.
According to press reports, court documents filed by Fidelity allege that former employee William Sullivan sold the information to data broker Jam Marketing, which then sold it to several direct marketing firms.
Sullivan was senior level database administrator who was responsible for enforcing data access rights at Certegy. It is thought he removed the data from the Certegy facility using "physical processes" - not electronic transmission - in order to avoid detection.
San Francisco law firm Girard Gibbs says it has filed the complaint on behalf of customers whose financial and personal data was stolen and handed over to third parties.
The case was brought by a California resident who, prior to the disclosure of the data breach, started noticing an influx of direct marketing and promotional offers, as well as phone calls to his home. After subsequently receiving a letter from Certegy informing him that his personal data may have been compromised by one of its employees, the plaintiff engaged a credit monitoring service.
The complaint alleges that Certegy and Fidelity failed to implement and maintain adequate security measures to protect confidential financial and personal data, which subjected consumers to risk of ID fraud, says the firm.
Eric Gibbs, one of the attorneys for the plaintiff, says: "Certegy and FIS (Fidelity) had a duty to safeguard the confidential data of consumers from any breach, including that of their employees. Once the internal breach became known, it should have been communicated to the public in a timely and adequate manner."
The lawsuit, which has been filed in a federal district court for the Central District of California, asserts claims of negligence, invasion of privacy and breach of implied contract.
Certegy has previously said the theft came to light when affected customers began receiving unwanted calls and marketing material through the post from the direct marketing companies that had bought the stolen data.
The company says it launched an immediate investigation but, after failing to detect any breach of its firewalls and systems security, requested that the US Secret Service contact the marketing companies in question to trace the source of the data. The company supplying the data was found to be owned and operated by a Certegy employee.