[Any Citibank customers?)--Personal data lost, Citigroup says
TAPES ON 3.9 MILLION CUSTOMERS MISSING
By Tom Zeller Jr.
New York Times
In one of the largest breaches of personal information to date, CitiFinancial, the consumer-finance subsidiary of Citigroup, announced Monday that a box of computer tapes containing information on 3.9 million individual customers was lost by United Parcel Service last month, while in transit to a credit-reporting agency.
Executives at Citigroup said the tapes were picked up by UPS in early May and have not been seen since.
The tapes contained names, addresses, Social Security numbers, account numbers, payment histories and other details on small loans made to millions of customers through CitiFinancial's network of more than 1,800 lending branches, or through retailers whose product financing was handled by CitiFinancial's retail services division.
The company said there was no indication that the tapes had been stolen or that any of the data on them had been compromised.
It is, however, the latest in a series of recent data security failures involving nearly every kind of institution that compiles personal information -- ranging from data brokers like ChoicePoint and LexisNexis to financial institutions like Bank of America and Wachovia, to media giant Time Warner to universities like Boston College and the University of California-Berkeley.
All of these institutions have reported data breaches in the past five months, affecting millions of individuals and spurring congressional hearings and numerous bills aimed at improving security in the handling of sensitive consumer information.
The fear is that Social Security numbers, when combined with a consumer's name, address and date of birth, can be used by thieves to open new lines of credit, secure loans or otherwise steal someone's identity.
Increased awareness
Whether the recently reported breaches indicate an epidemic of data loss, however, remains unclear. Many privacy and security advocates have suggested that a California law requiring that consumers be notified of data security breaches has led to more routine confessions of data losses and increased awareness of a longstanding problem.
``I think what we're seeing is a situation that's been going on for a long time,'' said Beth Givens, director of the Privacy Rights Clearinghouse, an advocacy group in San Diego, ``and one which has only been made visible by California's law.''
The California law, which went into effect in July 2003, requires state government agencies as well as companies and non-profit organizations -- regardless of where in the country they do business -- to notify California customers if the personal information maintained in their data files has been compromised.
In the most recent incident, Citigroup executives say the box containing the tapes was handed over to UPS, along with other items for shipping, May 2, under ``special security procedures'' that Citigroup required of the courier.
One of those special procedures, said Citigroup's chief operations and technology officer, Debby Hopkins, included scanning the bar code on each individual package, rather than scanning only the single bar code on the shipment manifest, which is a summary document listing all of the packages being moved in one shipment.
According to Hopkins, only the summary document was scanned, so UPS was unable to track where in the delivery chain the box was lost. It was not until May 20 that an employee of Experian, the credit-reporting agency that was to receive the tapes, called CitiFinancial to report that the tapes had not arrived. A subsequent investigation by UPS failed to find the package.
CitiFinancial has notified the Secret Service, which is investigating the incident, and has begun sending out letters to all 3.9 million customers notifying them of the loss and offering them 90 days of free enrollment in a credit-monitoring service. Other institutions with data-loss problems have also offered free credit monitoring services, some for as long as a year.
Norman Black, a spokesman for UPS, would not go into specifics on where or how the security system broke down, but said the courier was continuing its investigation. Black said blame ultimately lies with his company.
``They tendered us a package and expected it to be delivered in the reliable way that we always do,'' Black said, ``and we had to go back to them and tell them that we can't find it.''
Simply disappeared
A spokesman for Experian, Donald Girard, said he had never seen an instance in which a delivery of this kind simply disappeared, although he did say that he and other credit agencies had been encouraging financial institutions to convert from tapes to encrypted electronic delivery of data.
``Experian has been actively working for quite a while with all major data contributors to convert to electronic data transference,'' Girard said, ``to mitigate risk in this process.''
Hopkins of Citigroup said that most of the company's divisions already did this, and that its CitiFinancial division was scheduled to convert to such electronic transfers in July. She also said that the missing tapes, which were not encrypted, were created using mainframe-type computers and highly specialized hardware and software that would make it difficult -- though not impossible -- to extract data from them.
mercurynews.com |
