I received an interesting letter from some company called Certegy yesterday informing me that information they were holding about my checking account was stolen and sold to direct marketers.  My first thought was, “Who the hell are you and why do you have my data?”  My second thought was unprintable…

Anyhow, it appears that Certegy performs check authorization for a lot of merchants.  But I don’t recall writing a check in a store in the past five years or more.  I have a debit card that is faster and easier to use for that purpose.  In fact, I only write two checks a month, and those are to a house cleaning service (which, as far as I know, doesn’t use any sort of authorization service).  So I’m really curious as to where and how Certegy got my data.  I suppose it’s possible they got it before I started using the debit card, since I’ve had the account since 1993 and used to write a lot of checks.

But if the data was that old, it really bugs me that they’re hanging on to it.  They really have no business need of data that old.  And it only adds to the problem when their systems get breached.  Which, it turns out, happened from the inside:

The employee was a senior level database administrator who was entrusted with defining and enforcing data access rights. To avoid detection, the technician removed the information from Certegy’s facility via physical processes; not electronic transmission.

So far, the data has only been used for marketing purposes.  Or at least that’s what Certegy claims.  Not that I exactly trust them, given that it’s in their best interest to minimize the fallout over this.  While they claim to have taken steps to notify the credit bureaus and are working on contacting financial institutions, the letter I got seemed to put the onus on me to watch for fraudulent activity on the account.  It also pointed me to various government websites with information about identity theft. 

If I end up having to get a new checking account because of this I’m going to be red-hot pissed off.  Between my direct deposits, the automated house payment, the debit card, and all the online bill-pay information that I have in the current system, moving to a new account is going to be a right pain in the ass.

I can’t help but notice that their Q&A dances around but doesn’t answer the question of what they’re doing to prevent this from happening again.  Perhaps if there were severe per-account monetary damages attached to data privacy breaches, they’d be a little more serious and proactive about not keeping unnecessary data and policing their employees.