Friday, July 6, 2007

When a DBA goes bad



What happens when a DBA goes bad? In the recent case involving Certegy Check Services (a Fidelity National Information Services), the confidentiality of 2.3 million consumer records containing credit card, bank account, and other personal information is compromised.

In the July 3rd press release:


“Fidelity National Information Services Announces Misappropriation of Consumer Data by Employee of Certegy Check Services Division

Data sold to Marketing Solicitation Companies;
No Fraudulent Activity of Identity Theft Detected”


The data was stolen and subsequently sold to data brokers by a high-level DBA at Certegy who was entrusted with defining and enforcing data-access rights. The DBA; a guy named William Sullivan also allegedly owns a side-business named S&S Computer Services in Largo Florida. Allegedly, Mr. Sullivan took the data out of the building "via physical processes" not by transmission.

How does a business protect itself (and customers)?
I can think of two things right off the bat; extensive employee screening for employees with access to sensitive information and segregation of duty.

Employee Screening
Obviously employee screening does very little to protect against someone who has never been caught or someone who goes bad after being hired, but it is a good precaution nonetheless. I would be surprised if this was the first thing that Mr. Sullivan had ever stolen or if this was the first time he had done something unethical if not illegal. Perhaps he would have been screened out, perhaps not. Screening is only one layer of defense.

Segregation of Duty
DBAs are very powerful people in most companies. A DBA typically has access to vast amounts of very sensitive data, defines who else can access the data, and also audits who has accessed the data! Bad news. As security professionals, we should never accept a single entity with all three of these rights. There are good products in the marketplace to audit what DBAs do. Any company storing sensitive (and/or regulated) data would do well to have their security personnel look into these products.

Certegy
Although Certegy assures the public that no fraudulent activity has been detected with any of the personal information that was disclosed, there is essentially no effective way to prevent such things. Once confidential data is disclosed to unauthorized individuals, confidentiality can no longer be assured in any tangible manner. The best thing Certegy can do is take steps to ensure that this will not happen again and disclose to its customers what these steps are.

Certegy's Actions (thus far)
Certegy has filed suit against Mr. Sullivan in the case of Certegy Check Services Inc. v. William Sullivan, No. 076271CI13, Circuit Court, Pinellas County, Florida (St. Petersburg.)

NOTE: This really does nothing to protect the victims (consumers) and will do little to remedy the situation other than make people feel better that someone pays a price.

Certegy is implementing a fraud watch associated with the stolen records, and has notified credit-reporting agencies TransUnion, Equifax and Experian of the incident.

NOTE: TransUnion, Equifax, and Experian are three of the BIGGEST data brokers in the world! I would not trust them to do too much other than alert after the fact.

From Renz Nichols, president of Certegy Check Services "It's a reminder that the best security systems are not immune to rogue employees." I agree with Mr. Nichols in the respect that you cannot stop all rogue employees, but I think you can certainly do more to detect them.


30 comments:

Anonymous said...

Certegy has no checks for data security. I mean no checks!!! They also have a big offshore Indian company that has access to this same data that was stolen.

Anonymous said...

I am one of the 2.3 million victims of this "breach" of security. I'm wondering...are any individuals like myself going to sue Certegy or Mr. Sullivan? Is it even possible?

The Trusted Toolkit said...

I am truly sorry to hear that you are one of the victims. When I read the things that Certegy releases to the press about this, it makes me very uneasy. You would think that Certegy was this victim here, not the innocent consumer!

I would be surpised if there was not a class action suit against Certegy pending. I am not a lawyer, so I don't know intricate details of what such a lawsuit would look like. If a class action suit were to be filed, you would most likely be contacted to participate.

Suing Mr. Sullivan would do little as his assets are not going to be enough to make a difference to the victims.

Yes, it certainly is possible.

See examples:
http://www.boston.com/business/globe/articles/2007/01/30/tjx_faces_class_action_lawsuit_in_data_breach/

and

http://www.consumeraffairs.com/news04/2005/cardsystems_suit.html

Helping people with information security is my passion. I sincerely wish you the best.

Another good resource for you:
http://www.ftc.gov/bcp/edu/microsites/idtheft/

Anonymous said...

my gf got the letter too. I do network security auditing for a living, and this is her second one in two months.

I'm getting tired of closing her bank accounts.

Anyone hear the mp3 on the homepage of certegy? What a joke!

macker

Anonymous said...

I received my letter July 13th from Certegy. I am an unfortunate victim of this also.

I have sent some email questions to Certegy and I am sure they will respond. Though the company has been somewhat forthright in their press release, I remain somewhat nervous about the information of 2.3 million consumers "floating" around out there.

Anonymous said...

I too have received a letter from certegy. I am really thinking abt a lawsuit against certegy. it appears my checking account was in their data base and i feel that certegy a subsidary of Fidelity National Information Services Inc should be held accountable. It was their employee who stole our information or the parent company Fidelity should compensate everyone and anyone who has been effected. I have read where certegy is going to sue the direct marketing firms about OUR I repeat OUR stolen information and who will get the money Certegy. I am looking for any lawsuits against Certegy themselves or Fidelity National and yes i think who ever was effected should receive compensation of some sort. If i find an attorney who will take the class action lawsuit or even individual ones i will post it on this blog site

Thank you

Anonymous said...

I also received a letter from certegy. Unfortunately I am a victim also. I am also looking for lawsuits against Certegy and Fidelity National. I would be more than happy to take part in a class action lawsuit. Today I signed up for Identify Theft which is costly. How do I know that those telemarketer companies won't use my personal information to their advantage and how do we know if Certegy retrieved all the information before they use it to their advantage.

The Trusted Toolkit said...

You have to pay for identify theft protection/credit monitoring? I thought that Certegy was providing one year for free.

You ask a very good question. You will not know for sure if your personal information was used for marketing (or many other) purposes. This is the worst thing about a breach. Once confidentiality has been lost, you cannot be sure where the information has gone. Certegy will not be able to assure you that they have retrieved all of the information lost. Unfortunately, nobody can. I will let you know if I hear anything new, and may be posting another article about the breach soon.

Anonymous said...

Where does it say that Certegy is providing one yr free for ID Theft Protection and Credit Monitoring? It wasn't in my letter.

The Trusted Toolkit said...

Nope, you are right. I should read a little more carefully! I just assumed that they would offer it to the victims. Seems like most companies do offer it.

Anonymous said...

Good day. I am posting a blog to say that the word "breach" is being misused. This wasn't a hacker that stole the information. This is an "infraction" meaning that the employee went against rules and regulations set forth by the company. Let's learn to identify these before we create a riotious nature of thoughts. I to was affected by this incident and I am confident that Certegy is going to fulfill their promise to take care of the incident. Class act lawsuits will take years to go through and I think that we all have better things to do in the world right now than wait for a hang out

Anonymous said...

I am an employee of FIS and I also am a victim of this unfortunate incident. I would like to clarify that Certgy HAS provided free credit reports from the three mayor credit bureau companies and also has provided a 90 day FREE fraud alert.Also if ch would like a free credit watch on the acct afected all they need to do, as stated on the letter, is contact (866) 498 9916 and req it.


I would also like to clarify that the correct word for this insident is NOT a "briech", which defines itself as someone from the outside hacking into our systems. The person that commited this crime was a former employee that worked in this company for over 7 years, a trusted employee, and was one of the few that had ACCESS to this information. I would like to assure that the other employees that also have ACCESS to that information are being closly watched.

I just want to state that myself and other peers within this company were also victims of this "INFRACTION" and have also recieved the same letters as everyone else. Although it sounds scary, I can assure that the information consumed by these marketing organizations is not enough information to proceed with any identity theft or fraudulent activity on the accts.

PS. our fraud team is also closly monotoring these afected consumers and making sure that nothing is done with this information.

Thank you!

The Trusted Toolkit said...

Good day to you Sir (or madam).
I have to disagree with you in the meaning of the term "breach".

1. failure to maintain something: a failure to obey, keep, or preserve something such as a law, trust, or promise. i.e. a breach of confidentiality (Encarta® World English Dictionary ). How was this not a breach?

Your words: "Let's learn to identify these before we create a riotious nature of thoughts."
Since I already have the dictionary open and I'm not sure what riotious means:
Riotious (actually riotous):

Definition:
1. unrestrained: loud, conspicuous, and unrestrained
2. rioting or likely to riot: involved in or taking part in serious public unrest

How are we creating a riotous nature? I would like more people on both sides of the street to comment and I welcome yours.

Did Certegy do wrong? In my opinion, maybe. In the end its anyone's opinion. It is always easier to play "Monday morning quarterback", as I have been with this issue.

How were you affected and what makes you confident that Certegy will fulfill their promise?

The Trusted Toolkit said...

The term "breach" should NOT be used to imply "hacker".

See:
http://encarta.msn.com/dictionary_1861592509/breach.html
http://dictionary.reference.com/browse/breach
http://www.m-w.com/dictionary/breach

The terms "breach" and "infraction" are synonyms (meaning they can mean the same thing).

The other points you make in your post are valuable, no doubt! I am very glad that someone from FIS has posted here. Welcome!

Anonymous said...

I too am one of the MILLIONS!!!??!!! of people receiving a "letter".
I thought about a class action suit, but then I remembered .... the lawyers are the ones who benefit from those, not the victims of these crimes!
Something else to consider: I listened to/read the press release -
Just because someone says something/anything, DOESN'T MAKE IT TRUE! "Certegy has seen no evidence of identity theft or fraudulent financial activity involving your account" Can we take that statement to the bank? It also doesn't comfort me any knowing THEY are monitoring the 2.3 million accounts that have been compromised. Nope, not comforted at all in that knowledge!
So what can we victims do????
I called Certegy and wanted to know who was going to pay for my time in dealing with all this. They said THEY didn't request for me to deal with anything, so they weren't going to be responsible for any 'costs' in monitoring/changing/canceling my accounts. Yep, sounds like they are "a conscientious company that takes its responsibility to protect and preserve consumer information very seriously." NOT
Anybody have any ideas on a remedy for us victims??

Anonymous said...

Well Thank You FIS Employee! Am I supposed to feel better now that you tell us that there was not enough information for ID Theft or fraudulant activity? Remember they have our account numbers, names and addresses and phone no. And your Fraud Team will be able to monitor 2.3 million consumers? Tell me how?

Anonymous said...

Just thought about something major folks, guess what major information on us is floating around now, I got a a letter too, MY FREAKING SOCIAL SECURITY NUMBER!
Anyone else notice and think about that too? when we signed up for finanes and check and gaming and purchases etc, what did we give them for the credit checks age verification etc - we gave them our SS#s yes siree and now we're screwed! Class action lawsuit is a definet here.

Anonymous said...

Just got my 'letter' today (01AUG). Seems my checking account has been compromised. What a shame.... Did take me a while to find the public info on this case. Here's the web site: http://www.pinellascounty.org/public_records.htm

Login as Guest for free. (Case # 076271CI13 given in conf call is ALMOST accurate). Here's the Uniform Case number which you can search Pinellas Records: 522007CA006271XXCICI or Pinellas Case number: 07006271CI.

My bank gave one suggestion: Close account/re-open new account. OUCH!!! Much paperwork invovled there.

Has anyone been involved with fraud stemming from this 'infractionous' loser Mr. Sully?

No need for a civil(or criminal) suit, unless Certegy/FIS is knowningly involved in a cover-up. Then, I am all game. However, they seem to be 'up-front' about this so far.

Good luck to us all.

Anonymous said...

I just called Certegy and was told that my name, address,phone number, and last four digits of my bank account was compromised. The manager told me that is available on all of my checks. I have demanded a copy of exactly what was given to the telemarketers.

Anonymous said...

Hi Again,

first of all thank you for having this blog, I have put it into my favorites. Also i know im going to sound stupid-but yes i was affected as well my checking acct number, i posted before on this blog. i dont understand and maybe I am completely wrong in writing this, and I am no attorney have no background in law , just a common ordinary person who works for a living and anyone out there please correct me where I am wrong. What i dont understand is that if certegy is having a lawsuit on whoever/whatever company handles where our information is suppose to be kept safe and it was stolen by an employee of the company that took our personal information, then why cant us who have been affected by this get any monetary compensation from the lawsuit that certegy is pursuing.Am I wrong in thinking or saying that certegy will benefit from our personal information being stolen? Shouldnt we as the victims get something from certegy?

changing bank accounts credit card numbers, savings accts, checking accts, shouldnt be left up to us the victims, Certegy should send any of the effected a monetary settlement or am I wrong in thinking this??? I just dont think certegy should make out due to our misfortune.

Thank you

Anonymous said...

I just got my second letter in a week. It seems that both of my checking accounts have been effected. Does anyone have any ideas on how we can find out who Certegy's customers are? Do they handle ebay, paypal? If they have these guys a customers I'd like to close my accounts as a precaution.

Anonymous said...

Here's a link to a possible class action lawsuit:
http://www.girardgibbs.com/certegy.html?gclid=CK6ewITW5o0CFR3PggodB1S

Anonymous said...

This law firm is doing a class action law suit: www.belljames.com
1-800-763-2063

KC said...

A treasure trove of info here. Thank you.
I just got my letter. Why did it take a month?

They seem to think that there is lil worry about ID theft but I dont like the fact that the #'s are now over 8 million people affected?

For me to change my banking info? ARE YOU KIDDING?

Who is going to pay for new checks? I write very little, ( use atm card mostly) I am on disability so that is direct deposit. It will take forever for my info to get changed at SS, and this will delay my checks.
I need to live. That is my only source of income!

Someone will pay!

marlborz said...

I just recieved a letter stating my account/ banking information was used to aid a certegy employee remove and sell my information to various companies.

In addition none of the gaming sites I use even acknowledge who processes their transactions, I am fully aware that there are over 200 gaming sites that use Certegy to process their transactions. Who uses Certegy? Can anyone give me a list of all casinos that use Certegy to process these transactions?

Frankly, I'm quite disturbed that Certegy has no other means of screening their employees. Can there be a more effective way to prosecute individuals who abuse customers personal information? Does Certegy plan to explore different ways to protect this information? Certegy should consider to have their employees fully bonded, thus reassuring the customer that the indviduals handling the information we give them fully responsible for any misuse of information therein.

The Trusted Toolkit said...

A little late, but important news nonetheless.

A California law firm has announced a class action lawsuit representing 8.5 million victims against Certegy.

People absolutely HAVE had their data used against them as a result of this breach and should most certainly be compensated for their troubles.

As with almost all class action lawsuits, the lawyers will get rich, rich, rich. I wish the victims would!

I wish all of you my best!

Anonymous said...

Unfortunate and truly a preventable act as the lawyers will quickly realize.

Database Expert

Anonymous said...

I am a former employee of FIS/Certegy and a victim in this breach. I just wanted to let eveyone know that on Saturday, September 29, 2007 I got another letter in the mail from them announcing a second breach of information. A contract employee "helping" with the payroll department entered the building with a laptop, downloaded EVERY current and former employee's social security number, pay rate, etc and his laptop was allegedly stolen that evening. In the letter I received it mentions that they are offering a free year of credit monitoring for all employees. As if that's enough. They didn't learn from their first breach and allowed a second one to take place. What an upstanding company. I can't find anything about this most recent breach online yet so I'm posting it for you all.

The Trusted Toolkit said...

Hi! Interesting that you mention this breach. I was notified about it less than an hour ago. I will be posting information and commentary soon on my other blog, http://breachblog.com. You will see it posted before noon CDT. I would love to post this comment and any others.

Steven said...

I had my credit card hit for $9.45. the line item says 888-218-5608. Other blogs relate this phishing scam to this company