Fidelity National Information Services announced the theft of more than 2.3 million customer banking records from a subsidiary company that makes check acceptance recommendations to merchants. The records were subsequently sold to "a limited number of direct marketing organizations." FNIS blamed the theft on a former employee who had access to the data as part of his job responsibilities. FNIS believes the stolen data were used for targeted marketing solicitation, rather than identity theft, but did acknowledge in an online release that about 2.2 million stolen records contained consumer bank account information and about 99,000 records contained consumer credit card information. Certegy was alerted to the situation when a retail check processing customer noted that its customers were receiving telephone and mail solicitations related to their purchases. Among other actions, Certegy has filed civil complaints against the former employee and has requested a cease and desist order against the companies who purchased the stolen records.

Report On Data Theft At VA

Data security was also at the forefront at the Veterans' Administration this week, which reported on its investigation of the loss of an external hard drive with records on more than one half-million US veterans [Warning: PDF link] and 1.3 million non-VA physicians. The investigation revealed that lax security procedures and inadequate managerial oversight within the organization allowed employees at the VA's Birmingham, AL office unwarranted access to veteran data, and failed to detect or correct employees' failure to follow data-handling and security procedures. The improper clearance given to the employee not only allowed him unrestricted access to confidential medical files, but also allowed the same employee to introduce employee health records into a research database, which compromised the research protocol.

In both cases, employees with regular access to data compromised the security of the data. In the Fidelity National theft, the company found out about the data theft only after being notified by a third-party. Inadequate auditing procedures may have contributed to the company's ignorance of the theft. These cases underscore the need for regular review of data security policy and procedures, regular auditing of activity regarding data, and the need for regular verification of the propriety of access levels for all employees engaged in the handling of sensitive data.

New Trojan: BotVoice.A

Notes: PandaLabs announced the discovery of a new Windows Trojan called BotVoice.A, which uses the Windows text reader to announce that the system has been infected and that the computer's system files are being deleted. The Trojan attempts to delete all files on the hard disk and modifies the registry to disable all loaded applications, as well as the task manager. The Trojan is delivered through infected files, external storage media and malware downloads.