A database administrator employed by a subsidiary of payment processor Fidelity National stole the information of as many as 2.3 million customers and resold it to an unidentified data broker, the company alleged.
The unidentified data broker then resold the information to direct marketers who solicited the customers for product offers.
Although Fidelity claimed there was no evidence the stolen information had been used for identity theft, junk mail solicitations are a prime cause of identity theft, as criminals will often "dumpster dive" for unused credit solicitations and open accounts using stolen identities.
The administrator, William Sullivan, worked for Fidelity subsidiary Certegy Check Services. Certegy first detected the breach when one of their customers alerted them to a link between check transactions and product solicitations its customers were receiving.
When an internal investigation failed to turn up the source of the breach, Certegy contacted the U.S. Secret Service.
The investigation led to Sullivan, characterized by Certegy president Renz Nichols as a "rogue," though he had worked for the company for seven years. Nichols said the employee had been fired and that the company would be pursuing civil damages against him.
"We are taking the necessary steps to see that any further use of the data stops," Nichols said.
Fidelity National provides payment processing services for retail, mortgage, and other transactions. It is a separate entity from Fidelity Investments.
The Enemy Within
In terms of sheer size, the Fidelity breach surpasses the loss of a laptop containing records on 1.8 million veterans by a former analyst with the Veterans' Administration.
It is surpassed by another disappearing laptop, containing information on 2.9 million Georgia residents receiving medical care and belonging to a contractor working for the state's Department of Health.
But the dubious honor of largest data breach is still held by the TJX company, when hackers exposed records belonging to 46 million customers of the retail chain's TJ Maxx and Marshall's stores.
Although the majority of data breaches are caused by bad security procedures and carelessness, rather than malice, employees who go bad still present a major headache for businesses. Disgruntled workers can wreak havoc with information systems or steal and resell the data for profit.
In April, a former Morgan Stanley employee was arrested on charges of stealing information on the firm's hedge fund clients and using it to build his own brokerage business.