Subscribe to
Computerworld DBA who stole consumer data gets 57 months in prison, $4M bill
Former Certegy admin sentenced after admitting to stealing and selling personal info
Active Comments
 Identity & Security ManagementSolve your compliance problems and mitigate risk. Automate, validate and enforce business governance with Novell Identity Management and Security solutions. Learn more in the Identity & Security Management Zone See All Zones  |
July 16, 2008 (Computerworld) A former database administrator at Certegy Check Services Inc. who admitted last year that he stole the personal data of about 8.5 million consumers and sold the information to data brokers has been sentenced to 57 months in prison by a federal judge.
In addition, the judge ordered William G. Sullivan to pay almost $4 million in restitution to consumers victimized by the data-theft scheme and to submit to three years' of court supervision upon his release from prison. The sentence was handed down last Thursday in the U.S. District Court in Tampa, Fla.
Sullivan pleaded guilty to felony fraud charges last November, four months after the data thefts were disclosed by Certegy's parent company, Fidelity National Information Services Inc. As part of the plea agreement, prosecutors agreed to recommend a reduction from the maximum five-year sentence that Sullivan could have received.
Certegy, which is based in St. Petersburg, Fla., provides check-authorization services to financial institutions and merchants worldwide. According to court records, Sullivan, a resident of Florida's Pinellas County, systematically accessed Certegy's databases and downloaded consumer records over a five-year period starting in February 2002. The information that he stole included names, addresses, dates of birth, phone numbers, bank account as well as credit and debit card numbers, and payment card transaction data.
Sullivan admitted that he sold the data to an unidentified third party for a total of $580,000. The third party in turn sold the information to other data brokers. Sullivan even set up a company in Largo, Fla., called S&S Computer Services, which he used as a front to sell the stolen data on his own, according to the court records.
His actions were discovered when a retailer that uses Certegy's service reported seeing a correlation between a small number of check transactions and the subsequent receipt of telephone and direct-mail marketing solicitations by some of its customers.
Fidelity, which refers to itself as FIS and is a separate company from both Fidelity Investments Inc. and Fidelity National Financial Inc., initially said that about 2.3 million consumer records had been stolen. But in filings with the U.S. Securities and Exchange Commission three weeks after the initial disclosure, FIS increased the count of compromised records to as much as 8.5 million. However, the company claimed that the stolen information had been used purely for direct marketing purposes and not to commit any kind of financial fraud.
A California law firm quickly filed a class-action lawsuit against FIS and Certegy in connection with the data thefts. Certegy offered to settle the suit earlier this year, proposing a deal that would include one year's worth of free credit-monitoring services and limited amounts of identity theft insurance coverage and reimbursements for costs incurred as a result of the data breach.
The Sullivan case highlighted the threat posed to corporate data and systems by rogue insiders. Just this week, in yet another example of the now-familiar tale of employees gone bad, a network administrator for San Francisco's municipal government was arrested for allegedly locking other administrators out of the city's wide-area network by setting passwords that no one else knew. The city may have to replace its Cisco routers and switches as a result, potentially costing it $250,000 or more.
Security analysts have long maintained that such incidents show why it's crucial for companies to monitor what's going on inside their networks in addition to focusing on external threats. Also needed, analysts say, are processes that ensure a separation of duties and guarantee that no one has full access to all of the networks and systems within an organization.
Today's Top Stories
Resource Alerts
Whitepapers
 In SecurityStripping away the trappings of applications, systems and networks, information is the core asset of most organizations. Our columnist describes how asserting the importance of information governance is crucial to making that asset tangible, addressable and protected. Click here to read the latest column by Jon Espenschied |
Protecting Exchange While it was once just a convenient way for employees to communicate internally, today e-mail systems like Exchange are tightly integrated with other business applications and are one of the primary methods for communicating with current and prospective customers. Protecting Exchange against costly downtime has become a top priority for more IT departments. So how do you ensure that your Exchange environment is always protected?Download this white paper now!
|
 The Spy FilesFor Congress to do anything that helps protect consumers and the critical Internet infrastructure as a whole, it must pass laws that require proactive processes to protect computers, not that tell people how to deal with the resulting mess, says Ira Winkler. Click here to read the latest column by Ira Winkler |
|
White Papers
Read up on the latest ideas and technologies from companies that sell hardware, software and services.
|
||||||
|
