Whistleblower Complaint Citing Security Violations at 3rd Party Credit Card Processor Filed Two Months Prior to Cardsystems Break-in
On April 9th of this year, more than two months prior to the Cardsystems break-in, a Sarbanes-Oxley whistleblower complaint was filed with the Occupational Safety and Health Administration against NOVA Information Systems, a direct competitor of Cardsystems, Inc. Cardsystems, a 3rd party credit card processor and one of the many companies plagued with thefts of sensitive data this year, reported a theft of over 40 million credit card numbers in June. The complaint was filed by Nell Walton, a database administrator responsible for database security at NOVA (DOL Claim No. 4-1760-05-015).
(PRWEB) October 28, 2005 -- On April 9th of this year, more than two months prior to the Cardsystems break-in, a Sarbanes-Oxley whistleblower complaint was filed with the Occupational Safety and Health Administration against NOVA Information Systems, a direct competitor of Cardsystems, Inc. Cardsystems, a 3rd party credit card processor and one of the many companies plagued with thefts of sensitive data this year, reported a theft of over 40 million credit card numbers in June. The complaint was filed by Nell Walton, a database administrator responsible for database security at NOVA (DOL Claim No. 4-1760-05-015).
The complaint outlines multiple violations of security policies that NOVA is required to adhere to under both federal regulations and VISA's industry standards. It cites security violations on databases that not only contain billions of credit card transaction records but also social security numbers, personal addresses, bank account numbers and other sensitive data. NOVA, headquartered in Atlanta, is the 3rd largest third party credit card processor in the United States. It is a fully-owned subsidiary of US Bancorp.
“It has been an extremely frustrating year,” Walton said, “I filed this complaint with an agency of the federal government more than two months prior to the Cardsystems break-in. During the investigation OSHA did not make a single phone call nor ask NOVA a single question about security problems as far as I know."
In August, Walton's complaint was dismissed by an OSHA investigator when the Cardsystems break-in had been front page news for weeks.
“I couldn't believe OSHA did not make the connection between what happened at Cardsystems and what I reported in my complaint. I filed this complaint under Sarbanes-Oxley because I was hoping for a quick and quiet resolution. No action to fix the problem was ever taken. OSHA was completely oblivious to the fact that Congress has been pulling its collective hair out over this very issue for months,” she said.
She went on to say that after the Cardsystems break-in she sent portions of the complaint to the Senate Judiciary Committee, the House Financial Subcommittee for Oversight and Investigations and the FBI in attempts to get the federal government to look into the situation at NOVA but there was no response. In April, a copy of the complaint was forwarded to the SEC also with no response.
The Sarbanes-Oxley Act of 2002 was enacted by Congress in response to the high-profile securities and accounting scandals of companies like Enron and WorldCom. It specifically includes a whistleblower provision to protect employees who are discriminated against for reporting many different types of accounting and securities violations. Congress gave the responsibility of conducting the first phase of Sarbanes-Oxley whistleblower investigations to OSHA, who dismisses the majority of these cases according to DOL statistics. Because of this high dismissal rate, Sarbanes-Oxley whistleblowers usually have no choice but to appeal the decision with the DOL's Office of Administrative Law Judges. If the DOL has not issued a decision in 180 days, the complaint may be filed in federal court. Both these options can be cost prohibitive to many whistleblowers. Walton has appealed OSHA's decision and her case is now before an ALJ in Washington, DC. Walton left NOVA in September.
###
|
