JACKSONVILLE, Fla. — Fidelity National Information Services, the leading processor for credit union card accounts and a leading processing and authentication provider, began putting stronger internal control procedures into place after the processor discovered a data breach, which it alleged came from a source inside one of the company's subsidiaries.
According to court documents filed in relation to the matter one William Sullivan, then a database administrator for Certegy Check Services, allegedly misappropriated 2.2 million records gathered as part of Certegy's check authorization business, formed his own company and sold the data to direct marketing firms. Data from some 98,000 credit cards that had been used to secure lines of credit at casinos were also compromised, the company alleged.
Certegy Check Services has been part of FIS since the company purchased Certegy in January 2006.
Recommended For You
Sullivan has since been fired and FIS is suing him and the direct marketing firms involved. The company is also working with prosecutors on the matter, according to Michelle Kersch, a senior vice president with FIS.
Kersch explained that Sullivan had been a nine-year employee with the firm and had passed background checks when hired that looked for any prior criminal convictions, drug abuse and credit rating. She said that the data generally included names and addresses of checking account holders and sometimes account numbers as well. However, the account numbers, she said, appeared not to have been sold.
Sullivan could not be located to comment on the allegations.
"It has come as a real shock given that he was a trusted employee and with us for nine years," Kersch said. She emphasized the company did not believe this alleged theft had been going on for very long.
But Kersch explained as well that FIS only became aware of the potential breach in its security after being contacted by one of its retail clients that used its Certegy Check Services check authorization service. Kersch said that the retailer had been contacted by one of its customers irate over how much junk mail they received after every time they shopped at that store.
Since the retailer knew it had not shared any of its customers' information, the information must have come from Certegy. After confirming that it had not been hacked from outside, FIS launched an internal investigation that eventually pinned the blame on a nine-year database administrator who has since been fired. She acknowledged that were it not for the irate consumer, the problem could have continued for some time.
Kersch said Sullivan had been one of five administrators who had that level of access to the company's data and that FIS had acted to strengthen its internal controls by removing laptops from database administration, disabling the ability to download data to third party devices such as flash drives and instituting spot checks on computers with high access to data.
The company has been working with banks and credit unions to mitigate the possible impacts of the breach and stressed that there was no evidence the data had been used fraudulently.
"All the firms which purchased the data were and are reputable direct marketing firms and have been cooperating with our investigation and effort to repair the damage," Kersch said.
The steps FIS is taking include notifying federal and state agencies of the breach as well as the three major credit bureaus and Visa and MasterCard. It has begun working with credit unions and banks to notify them as to the compromised information so that they can put fraud watches into place.
The firm will also contact impacted consumers directly and has established a toll free hotline to answer questions about the breach.
© 2025 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
