Certegy reveals their data breach is a lot larger than originally reported

Earlier this month, I blogged about the Certegy data breach, where a not very HONEST employee got caught selling information to an unidentified data-broker. Certegy was quick to assure the public that none of this information would be used to commit fraud because it was being used by "legitimate marketing firms."

Now the number of records (people compromised) has risen significantly after Certegy filed a report with the Securities and Exchange Commission.

The Tampa Bay Business Journal Reports:

An ongoing investigation has determined that about 8.5 million consumer records were stolen, according to a July 25 Securities and Exchange Commission filing by Fidelity National Information Services Inc. (NYSE: FIS), the Jacksonville-based parent company of St. Petersburg-based Certegy.

According to Fidelity, Certegy's parent company the investigation is continuing and this number could grow.

Florida Attorney General Bill McCollom listed some useful information for victims in a press release, which said:

For more information, consumers may call Certegy at 866-498-9916 or may visit their website at http://www.certegy.com. Affected consumers are encouraged to take the precautionary steps outlined in the Certegy letter, including obtaining a free fraud alert from one of the credit reporting agencies. Furthermore, if consumers believe at any time they are victims of identity theft, they should report this to the police and request that the national credit bureaus place a fraud alert on their credit reports. Consumers should also notify banks and creditors involved of questionable charges or accounts, keep records of all telephone calls and follow up in writing with credit bureaus, banks and creditors.

If you received a letter from Certegy and you continue to receive marketing calls that you suspect result from this data breach, please report this activity to the Attorney General’s Citizens Services Hotline at 1-866-9-No SCAM (1-866-966-7226). Additional information about protecting yourself from identity theft is available online at http://www.myfloridalegal.com/identitytheft.

I've received a lot of comments on my original post, including some (anonymous) claiming their information was used for fraud. Unfortunately, I cannot verify this information, but someone with the e-mail address LPLong@Yahoo.com claims to be collecting victims to file a class action law suit.

My original post with comments, here.

Press release from Florida Attorney General (Bill McCollom), here.

Note this is probably the right place to verify information, if you receive a letter. If you believe you are fraud victim based on the Certegy breach, I would let them know about it, also.

Tampa Bay Business Journal article, here.

Not to worry, check processing company (Certegy) believes the 2.3 million stolen records will not be used for fraud!

Large data breaches are becoming a VERY frequent news event! This time only 2.3 million records were stolen, a mere fraction of the amount (45 million plus) TJX lost. In this instance, we are told we have nothing to fear because the information was sold to a data broker.

Ron Word of the AP (courtesy of the Washington Post) reports:

Fidelity National Information Services, a financial processing company, said yesterday that a worker at one of its subsidiaries stole 2.3 million consumer records containing credit card, bank account and other personal information.

This occurred at one of their subsidiaries, Certegy Check Services.

According to the article:

About 2.2 million records stolen from Certegy contained bank account information and 99,000 contained credit card information, company officials said.

Since Certegy verifies check transactions, this probably means a lot of checking account information in addition to some credit and personal information. From a financial crimes perspective, this information could be used to commit a lot of identity theft, check and credit card fraud.

The company claims the information was sold to data brokers, who sold it to direct marketers. Their president, Renz Nichols, "believes" this is the extent of the damage.

Not sure, if I can "believe" that no one is at risk. The last time I checked, identity thieves normally shy away from revealing exactly, who they intend to compromise next. It's bad for business. Besides that, is this based on the word of someone, who stole the information and sold it in the first place?

Interestingly enough, the data broker is unnamed at this point. The AP article does say they are claiming they didn't know the information was stolen. I wonder how this data broker verifies the information they get, and who they are getting it from?

Data brokers and credit bureaus sell information all the time. Recently, a data broker (InfoUSA) was caught selling direct marketing information to spammers, who commit lottery fraud schemes.

The sad thing is that once the information starts getting sold, it becomes available to more and more insiders, who might sell it to the wrong person, assuming it hasn't been already.

And there is so much information to be sold, no one is ever sure exactly where it came from. Criminals are even selling it via the Internet to other criminals.

AP Story (courtesy of the Washington Post), here.

Attrition.org is tracking data breaches, here. The amount of them that happen is pretty scary!

I've written a lot of about how data brokers make billions buying and selling our information, which can later used against us, here.

They don't believe they are enabling a worldwide problem, either.

At least that's what I keep hearing, whenever a new data breach is announced.