A former database administrator at Certegy Check Services who admitted last year that he stole the personal data of about 8.5 million consumers and sold the information to data brokers has been sentenced to 57 months in prison by a federal judge.
In addition, the judge ordered William G. Sullivan to pay almost $4 million in restitution to consumers victimized by the data-theft scheme, and to submit to three years' of court supervision upon his release from prison. The sentence was handed down last Thursday in the US District Court in Tampa, Fla.
Sullivan pleaded guilty to felony fraud charges last November, four months after the data thefts were disclosed by Certegy's parent company, Fidelity National Information Services Inc. As part of the plea agreement, prosecutors agreed to recommend a reduction from the maximum five-year sentence that Sullivan could have received.
Certegy, which is based in Florida, provides check-authorization services to financial institutions and merchants worldwide. According to court records, Sullivan, a resident of Florida's Pinellas County, systematically accessed Certegy's databases and downloaded consumer records over a five-year period starting in February 2002. The information that he stole included names, addresses, dates of birth, phone numbers, bank account as well as credit and debit card numbers, and payment card transaction data.
Sullivan admitted that he sold the data to an unidentified third party for a total of $580,000; the third party in turn sold the information to other data brokers. Sullivan even set up a company called S&S Computer Services, which he used as a front to sell the stolen data on his own, according to the court records.
His actions were discovered when a retailer that uses Certegy's service reported seeing a correlation between a small number of check transactions and the subsequent receipt of telephone and direct-mail marketing solicitations by some of its customers.
Fidelity, which refers to itself as FIS and is a separate company from both Fidelity Investments Inc. and Fidelity National Financial Inc., initially said that about 2.3 million consumer records had been stolen. But in filings with the U.S. Securities and Exchange Commision three weeks after the initial disclosure, FIS increased the count of compromised records to as much as 8.5 million. However, the company claimed that the stolen information had been used purely for direct marketing purposes and not to commit any kind of financial fraud.
A California law firm quickly filed a class-action lawsuit against FIS and Certegy. in connection with the data thefts. Certegy offered to settle the suit earlier this year, proposing a deal that would include one year's worth of free credit monitoring services and limited amounts of identity theft insurance coverage and reimbursements for costs incurred as a result of the data breach.
The Sullivan case highlighted the threat posed to corporate data and systems by rogue insiders. Just this week, in yet another example of the now-familiar tale of employees gone bad, a network administrator for San Francisco's municipal government was arrested for allegedly locking other admins out of the city's wide area network by setting passwords that no one else knows. The city may have to replace its Cisco routers and switches as a result, potentially costing it US$250,000 or more.
Security analysts have long maintained that such incidents show why it's crucial for companies to monitor what's going on inside their networks in addition to focusing on external threats. Also needed, analysts say, are processes that ensure a separation of duties and guarantee that no one has full access to all of the networks and systems within an organization.