Fidelity National Information Services has disclosed that a former employee at its Certegy unit stole 2.3 million customer records and sold the information to data brokers that in turn sold it on to direct marketers.
Fidelity says of the 2.3 million records believed stolen, around 2.2 million contained bank account information and 99,000 contained credit card data.
The data was allegedly stolen by a former senior level database administrator who was responsible for enforcing data access rights at Certegy. The vendor says the technician removed the data from its facility using "physical processes" - not electronic transmission - in order to avoid detection.
The company says it is still investigating the time period over which the theft occurred.
Renz Nichols, president of Certegy Check Services, says the theft came to light when affected customers began receiving unwanted calls and marketing material through the post from the direct marketing companies that had bought the stolen data.
Certegy says it launched an immediate investigation but, after failing to detect any breach of its firewalls and systems security, requested that the US Secret Service contact the marketing companies in question to trace the source of the data. The company supplying the data was found to be owned and operated by a Certegy employee.
The vendor has now filed a civil complaint against the former employee and the marketing companies that are thought to have bought the data.
Certegy says it has seen no evidence that bank account or credit card data was used for anything other than marketing purposes, and is unaware of any instance of ID theft or fraudulent activity resulting from the data theft.
Says Nichols: "We have no reason to believe that the theft resulted in any subsequent fraudulent activity or financial damage to the consumer, and we are taking the necessary steps to see that any further use of the data stops."
Certegy says it will notify all affected customers of the theft. The firm has also informed the major US credit unions of the incident, as well as Visa and MasterCard.
The vendor says it will also establish a procedure for financial institutions to obtain information about their customers' accounts so that they can place them on an active fraud watch.