A US law firm has filed a class-action lawsuit against Fidelity National Information Services (FIS) over the potential compromise of personal data belonging to 8.5 million consumers.

The lawsuit was filed last week in federal court for the Central District of California. It does not seek specific damages, but it accused FIS and Certegy Check Services, the subsidiary involved in the breach, of negligence, invasion of privacy and breach of implied contract.

The complaint, filed on behalf of 8.5 million consumers, by the San Francisco-based law firm of Girard Gibbs, charged both companies with failure to implement and maintain adequate security measures for protecting confidential financial information belonging to consumers. The suit also alleged that the companies failed to properly monitor and supervise the activities of employees entrusted with consumer data.

FIS is a large transaction processor and outsourcing provider to the financial services sector. It is not affiliated with the better-known Fidelity Investments. Certegy provides check verification services for many major retailers.

The breach in question was disclosed by FIS in July and involved a Certegy senior database administrator who illegally accessed and downloaded millions of consumer records and sold them to data brokers.

Initially, FIS said about 2.3 million records may have been compromised by the database administrator's actions. However, in filings with the US Securities and Exchange Commission about two weeks later, FIS increased that number to as many as 8.5 million records that might have been compromised.

According to the company, the data appeared to have been misappropriated purely for use in marketing purposes and not for identity theft or other types of fraud.

Legal experts have long been warning companies that they could become targets of such lawsuits in data breach incidents. Even so, few cases have been filed in data breach incidents and fewer still have been won by consumers. In the past, legal experts have said the plaintiffs in such cases usually have a hard time establishing and proving a direct link between a disclosed data breach and identity theft or other forms of fraud.