Certegy BreachIn the July 3rd press release:
“Fidelity National Information Services Announces Misappropriation of Consumer Data by Employee of Certegy Check Services Division
Data sold to Marketing Solicitation Companies;
No Fraudulent Activity of Identity Theft Detected”
The data was stolen and subsequently sold to data brokers by a high-level DBA at Certegy who was entrusted with defining and enforcing data-access rights. The DBA; a guy named William Sullivan also allegedly owns a side-business named S&S Computer Services in Largo Florida. Allegedly, Mr. Sullivan took the data out of the building "via physical processes" not by transmission.
How does a business protect itself (and customers)?
I can think of two things right off the bat; extensive employee screening for employees with access to sensitive information and segregation of duty.
Employee Screening
Obviously employee screening does very little to protect against someone who has never been caught or someone who goes bad after being hired, but it is a good precaution nonetheless. I would be surprised if this was the first thing that Mr. Sullivan had ever stolen or if this was the first time he had done something unethical if not illegal. Perhaps he would have been screened out, perhaps not. Screening is only one layer of defense.
Segregation of Duty
DBAs are very powerful people in most companies. A DBA typically has access to vast amounts of very sensitive data, defines who else can access the data, and also audits who has accessed the data! Bad news. As security professionals, we should never accept a single entity with all three of these rights. There are good products in the marketplace to audit what DBAs do. Any company storing sensitive (and/or regulated) data would do well to have their security personnel look into these products.
Certegy
Although Certegy assures the public that no fraudulent activity has been detected with any of the personal information that was disclosed, there is essentially no effective way to prevent such things. Once confidential data is disclosed to unauthorized individuals, confidentiality can no longer be assured in any tangible manner. The best thing Certegy can do is take steps to ensure that this will not happen again and disclose to its customers what these steps are.
Certegy's Actions (thus far)
NOTE: This really does nothing to protect the victims (consumers) and will do little to remedy the situation other than make people feel better that someone pays a price.
Certegy is implementing a fraud watch associated with the stolen records, and has notified credit-reporting agencies TransUnion, Equifax and Experian of the incident.
NOTE: TransUnion, Equifax, and Experian are three of the BIGGEST data brokers in the world! I would not trust them to do too much other than alert after the fact.
From Renz Nichols, president of Certegy Check Services "It's a reminder that the best security systems are not immune to rogue employees." I agree with Mr. Nichols in the respect that you cannot stop all rogue employees, but I think you can certainly do more to detect them.
Read more!
