3.9 Million Citigroup Customers' Data Lost 602
Rick Zeman writes "CNN.com is reporting that United Parcel Service has lost backup tapes containing the identies of 3.9 million Citigroup customers. According to UPS, '... a "small package" containing data storage tapes was lost while being transferred to a credit reporting bureau.' According to Citigroup, they 'included Social Security numbers, names, account history and loan information about retail customers, and former customers, in the United States.'"
And what did the UPS guy say? (Score:5, Funny)
They changed their slogan: (Score:5, Funny)
Re:And what did the UPS guy say? (Score:2)
Re:And what did the UPS guy say? (Score:3, Interesting)
You wouldnt believe the amount of software and infastructue is current being expended to meet this deadline. I'm working on it now, Sounds easy doesnt it? Its not.
Re:And what did the UPS guy say? (Score:3, Insightful)
Re:And what did the UPS guy say? (Score:4, Insightful)
Re:And what did the UPS guy say? (Score:4, Funny)
Oh and if they used an open source solution and that got cracked, the fault would also be theirs, and they would also get 500 messages on how they used an older (or newer!) release, or because they didn't use an obscure "x" patch which you can find in "y" page, hosted in some east european country and in a language used only in that country... etc.
Re:And what did the UPS guy say? (Score:3, Insightful)
Hence it follows that they'd also have to be forgiven in case they'd used a simple encryption scheme. After all the same unreasonable people would complain.
Hence they'd have to be forgiven if they'd used no encryption .... Basically, because someone would always complain they are always guiltless, no matter how careless they were
Re:And what did the UPS guy say? (Score:3, Insightful)
Secure file transfer is a solved problem. There are several options available for secure file transfer which don't require any more coding than a simple shell script
How often does this happen now? (Score:5, Interesting)
Re: (Score:3, Insightful)
Re:How often does this happen now? (Score:3, Interesting)
The first thought I had when I heard about this story is how much would that disk be worth if you sold it to the right people
Re:How often does this happen now? (Score:3, Insightful)
Just exactly how am I supposed to 'take a stand'? Believe me I'd love to, but I feel there's nothing I can do. I'd like to get a loan through another company, however I don't know of any credit union or smaller banks that do anything like that.
*blinks* (Score:5, Insightful)
Re:*blinks* (Score:5, Interesting)
Re:*blinks* (Score:3, Interesting)
Nah, not really. You see it's cheaper for Citibank not having to bother with such inconvenient struggles as encryption and confidentiality or even [ghasp] an in-house courrier service for confidential material and as long they don't even get a slap on the wrist why should they care in the first place? Such unbelievable negligent behavior seems to make good business sense nowadays.
It's about time that such criminally negligent entities, such as Citibanks senior mana
Re:*blinks* (Score:5, Interesting)
More than likely they paid a consultant $3.5 million dollars to setup a secure backup system which would work flawlessly. Bought it. Installed it...
And then new IT director-minion-worked-at-walmart-last-week went in to "optimize" the server and kill any "useless" processes that were making it run slow, and killed the encryption process.
And then of course they backup for two years without encryption until they hire a $8 an hour "casual" to "catalog" and "clean up" the archives -- and he discovers that they aren't encrypted. Notifies his boss who really doesn't understand -- and nothing happens.
And then they have a security breach and are "caught off guard". Heads roll, new consultants are hired, and the process begins again.
Well, at least that's what seems to happen where I work.
Re:*blinks* (Score:3, Interesting)
Oh please. While UPS does indeed have a share in the blame, it's hardly worth mentioning. Their track record on losing/destroying packages is well known. They absolutely do NOT make any guarantee that every single package will make it through, and two out of three rando
Re:*blinks* (Score:3, Insightful)
Did you read the actual service guarantee? It says: (emphasis mine)
Re:*blinks* (Score:2, Interesting)
Re:How often does this happen now? (Score:2, Funny)
A week hasn't gone by this year that some major data warehouse hasn't been "broken into". When are these people going to start taking our privacy and their security a little more seriously...
It really isn't that bad - it's just that slashdot keeps reposting the same stories over and over again.
Re:How often does this happen now? (Score:3, Insightful)
-John
Re:How often does this happen now? (Score:3, Interesting)
In this case, the lost cargo is probably in a UPS warehouse somewhere. They probably ran over the cargo with a forklift, and it's currently unidentifiable.
See http://www.perkinscoie.com/content/ren/updates/eco mm/062703.htm [perkinscoie.com] for more info on the CA law.
Re:How often does this happen now? (Score:3, Insightful)
Doesn't even one of them think for a moment - "Huh? I wonder what we are doing to make sure that this doesn't happen to us?"
I'm not one for endorsing additional legislation - but perhaps if we held officers liable (SarbOx style maybe) for these breaches, then maybe someone will start to care.
Re:How often does this happen now? (Score:3, Interesting)
Doesn't even one of them think for a moment - "Huh? I wonder what we are doing to make sure that this doesn't happen to us?"
What might work is if one of the companies were to make it a selling point. If a credit company were to advertise their excellent record of protecting data, it might make people use them instead of the competition. Then the other companies would take notice as they lost customers.
Re:How often does this happen now? (Score:3, Interesting)
Someone asked the question whether the University is responsible and would restitute time and money spent recovering from an identity theft that resulted from this, and they basically shrugged it off and said "tough luck", we are not liable here is their FAQ on it [uc.edu].
Actually hackers were very smart, they went
In other news, (Score:2, Funny)
Unacceptable (Score:5, Insightful)
Re:Unacceptable (Score:2)
BBH
Re:Unacceptable (Score:3, Insightful)
Re:Unacceptable (Score:5, Insightful)
So what is your solution? (Hint: YMFL, (Yet More Federal Legislation), will not prevent accidental loss of freight packages).
BTW - I write this as someone who has a mortgage with Citigroup so my data could be at risk here. However, my knee is not jerking violently, (yet).
They are unaccountable. (Score:3, Insightful)
They are unaccountable. Try complaining to your states AG about your bank or CC company. You'll be told that the OCC (Office of the Comptroller of the Currency) has jurisdiction. Want to complain to them? Well, they'd probably listen if they weren't staffed by governmental appointees and ex-industry insiders.
Want to sue? Sorry, but you've probably already given up that right under an "arbitration" clause. One could try a class-action suit, I suppose, though tha
Re:Unacceptable (Score:4, Insightful)
So you want to pass a law that is unpopular?
Problem.
Reaction.
Solution.
It's called Diocletian's Problem. [propagandamatrix.com]
What good would it do? (Score:3, Informative)
And what good would that do? Unless you're buying your Congresscritters 30 second spots or shuttling them around in your private jet with the very accommodating flight attendant, then you're barking at the breeze, buddy.
In this age of government by the highest bidder, the people losing your data are the highest bidders. Too bad. You can get as mad as you want but it doesn't chan
Re:Unacceptable (Score:2)
Re:Unacceptable (Score:5, Insightful)
You can't, but you can make the things that tend to lead to accidents illegal. You'll notice there's no law against getting into a car crash, but there are lots of laws about driving too fast, running red lights, driving drunk, unsafe lane changes, etc etcet c.
Same idea here. If I can be fined for driving 100mph because it might cause an accident, Citibank should be able to be fined for sending unencrypted data via UPS because it might cause an accident.
They Can Be Fined.. (Score:5, Informative)
They can be. GLBA, as it's known in the financial services circles, requires any financial institution to design, implement, and maintain controls to protect customer confidential data, which it appears is what was lost. Whether it's an audit trail for a system running on the network, or encryption when travelling on an unprotected network, GLBA dictates that the highest level of care be used when handling customer data. It is something that we in the banking world take very, VERY seriously.
If they so chose, the FTC, the OCC, the SEC, the CFTC, or state insurance regulators could fine Citigroup for violations of GLBA.
Re:Unacceptable (Score:3, Insightful)
Whatever dude, I think it's time to take off your blinderes.
Re:Unacceptable (Score:3, Insightful)
Statement (Score:3, Funny)
Employee: Ummm, let me verify that with my datab... I mean.... let me get my manager.
Customer: No problem. Take your time. Would you like some free coffee. It's on me.
Gives new meaning to their slogan (Score:5, Funny)
Support legislation for criminalization of this (Score:5, Insightful)
Inappropriate for your bank to have your info? (Score:2)
Regarding your collecting comment: just how is it inappropriate for your bank to have your name, address, SSN, and additional financial info like the accounts and mortgage you have with them?
Re:Inappropriate for your bank to have your info? (Score:3, Informative)
Re:Support legislation for criminalization of this (Score:2)
I always see these kinds of comments and have to wonder: what is it about the US judicial system that makes the US legislative system seem like the cure for all social ills?
Look at what the US legislative system has gotten us: social security numbers (ok executive branch helped here too), DMCA, laws against bankruptcy, etc. How exactly
Re:Support legislation for criminalization of this (Score:3, Insightful)
That'll never happen, and here's why. The corporations and legislators both want the same thing: Every citizen to have biometric national ID's that also function has universal purchasing cards.
You see, if we passed laws that made corporations have to beef up security and protocols and pay fines - Corporations would have to pay.
But i
remember folks (Score:5, Insightful)
Re:remember folks (Score:2)
Re:remember folks (Score:2)
is it hot in here? (Score:5, Funny)
Mod parent funny :) (Score:2)
3.9 million? (Score:2)
Can't these companies be sued? (Score:2)
Re:Can't these companies be sued? (Score:2)
BBH
Sensitive Data via UPS? (Score:5, Insightful)
Re:Sensitive Data via UPS? (Score:2)
Re:Sensitive Data via UPS? (Score:3, Interesting)
>
You obviously have zero experience in the shipping field despite your claim to have worked for UPS. It isn't uncommon at times to have 100 times that percentage of packages lost or damanged by us. We are a union shop so the lazy thugs we have can get away with anything. For example at the terminal where I work, a local jewelry store went out of business and shipped-out about four dozen nice
Re:Sensitive Data via UPS? (Score:5, Funny)
Re:Sensitive Data via UPS? (Score:3, Insightful)
Re:Sensitive Data via UPS? (Score:3, Funny)
Whoa.
Is it really lost? (Score:4, Insightful)
I never really understood why they called it identity theft. Much like I can't understand why they call it "stealing" music. Nothing's actually gone -- it's really more of an identity infringement.
Attach a cost to lost data (Score:5, Insightful)
I expect this will take a big class action lawsuit, but if I were a company of any size which handled confidential client data, I would be scrambling for a way to reduce my liability.
Data separation (Score:4, Interesting)
Google Ads (Score:2, Funny)
Has It Always Been this Bad? (Score:3, Insightful)
Re:Has It Always Been this Bad? (Score:2)
Consequently, I'd say the reporting has gotten better rather than that the companies have gotten worse. Ten years ago privacy wasn't even a concern for customers because few were abusing this information.
Re:Has It Always Been this Bad? (Score:2)
I guess you've never worked for a big company
Nice to know where their priorities lie (Score:5, Insightful)
Re:Nice to know where their priorities lie (Score:3, Insightful)
Re:Nice to know where their priorities lie (Score:5, Insightful)
Well, that is because credit card companies don't care about you on a cosmic level. Damn right they never cared about your data. Hell, they sold it to every company on the planet already!
Why would they? What are you going to do? "Cancel your card? YOU HAVE A BALANCE! MUAAHHAHAHHHAHA! Fraud you say? Yeah, right! I don't care if you have Cancer, get back to work you deadbeat."
Most of America is in a you're-screwed-bonus-round with these jackasses. They give a crap about your data. These are the same generous, kind, and loving souls that sold you out to begin with. Everybody at light-my-fart.com got your name and address from them, why shouldn't they just get the freakin' credit card numbers, too?
Credit card companies are the big banking's little thugs.
Q: What's the difference between a credit card company and a loan shark?
A: Loan sharks tell you up front what they're going to do if you don't pay up.
Look, they never cared. They might feel bad, but I guess they feel bad about it in the same way that Satan would feel bad about killing children in a freeway pileup. "Whoops! *Chuckle*!"
Nothing punitive is ever going to come of this. If you have any doubts, recognize this:
Didn't our wonderful President just sign a bill for you to never be able to declare bankruptcy, even if you get freakin' terminally ill? I wonder who wrote that gem of a law for the people? Hmmmm. The President could give you a NO THANK YOU option on Social Security for the generations that will get nothing. That didn't happen. He wants to FORCE you to put your social security money in a special PRIVATELY OWNED BANK right now, in a way that you can never touch it. Wow. Who put that racket together?!? He's spending every waking moment touring the country supporting that agenda! Golly Gee whiz, I wonder who helped him see the light on that? I for one, trust our corporate masters. They would never screw us over. Never.
Trust me. Nothing will ever come of this. You have been warned.
Re:Nice to know where their priorities lie (Score:3, Informative)
complaint seriously?
All of them don't. If you get your number stolen, they just issue you a new one. Unless there's a mass compromise, they ignore the thieves, as (to them) it's not worth the time and effort to go after them, even if you give them lots of leads. After all, they aren't out the money, and neither are the banks involved (there's an issuing bank - your bank, and the merchant bank - the bank that processes the payment) - the people who get screw
Credit Cards act as a sort of social program (Score:3, Insightful)
* Wrong #1: People who use credit cards unwisely. Nothing good about this, and I won't defend it.
* Wrong #2: Credit card companies that push credit on people with relentless advertising. Then they advance credit to just about anyone, and are happy, even eager, to up your credit line. IMHO, they are knowingly making bad loans. This used to be known as "bad banking" and was punished by b
Re:Nice to know where their priorities lie (Score:3, Insightful)
Alright then, what about my other points?
You seemed to lock in on the bankruptcy law, that you seem to know so much about. Did you know that over 80% of all bankruptcies occur because of major medical problems? That's right! Most bankruptcies cannot be avoided! Now, now you have lifetime debtors because of a major illness. Someone who can never afford children again, can never drive a new car again, or anything like that, and most of them got seriously ill, and there was nothing they could do abo
Re:Nice to know where their priorities lie (Score:3, Interesting)
But don't let me get in the way of your seething hatred for Bush (who didn't pass the law, congress did.)
He signed it. So he passed it. Take a class, genius. I work in news. You want DVD or VHS?
Besides, what is the point? You think that I am shocked that members of congress are on the payrolls of Chase and Citigroup?
I have a complete ton of my Republican friends that hated this bill. Most financial counselors hate this bill. And they know more about it than both of us combined.
Re:Nice to know where their priorities lie (Score:3, Funny)
The same way god felt bad after killing the first born child of every Egyptian? (Exodus 11:1-12:30)
First, Satan is a fictional character I was using as an example. Bugs Bunny would have been better. Second, you really had to go back to the Old Testament for that one. Third, I am really sorry that I smeared the good name of Satan for
Encryption! Encryption! ENCRYPTION! (Score:2, Interesting)
don't they even care for encrypting data in removable media?
that's so lame!
i hope everyone that is a citibank customer (Score:3, Insightful)
i am moving from BofA after their mishap.
Somewhere smaller, hopefully more secure.
Hit them where it hurts!!!!
Were the tapes encrypted? (Score:3, Insightful)
You break it, you buy it. (Score:5, Insightful)
Re:You break it, you buy it. (Score:5, Informative)
citibastards and a possible solution (Score:3, Insightful)
There is definitely something wrong with this system! I'm all for doing without consumer credit, but it's simply not feasible.
Perhaps we need a public-key style scheme where we generate a unique private key that we use to encrypt things like credit card applications, and then the public key is on file with the government and credit card companies and the like. That way only we have access to important private information, but the credit reporting agencies and the government can still keep track of us the way they do currently.
This would beat the hell out of biometrics and nonsense like that (you can't bloody send someone a retina scan over the internet or through the mail!), and it would do something to improve our privacy by preventing people from faking your identity.
Other protocols should have been used (Score:2)
Frankly, Registered Mail [everything2.com], as offered by the US Postal Snail [usps.com], would have been the way to go.
Three times unlucky. (Score:2)
UC Berkeley sent me a letter telling me they failed to protect my data. University of Chicago came next. And now Citigroup.
I'm picking far too many winners lately...
Obvious (Score:5, Funny)
Find Results With
The exact phrase high security
Search for "high security" found 0 matches.
As a UPS employee... (Score:4, Informative)
It's not that bad really.. (Score:2)
0.o
Lost? (Score:3, Insightful)
Isn't this the second time (or more, most likely) that a set of shipped customer has been "lost?"
It's quite possible that the scum of the universe that feeds on harvested identities has gotten sophisticated enough that they are now able to identify such in-transit packages and have them go missing.
Bottom line -- companies should not be shipping this type of information via common carriers.
Declared Value: $200; Description: Backup tapes (Score:2)
Just goes to show you that writing "Backup of customer data" in the goods declaration of the shipping form isn't a good idea
Lecture Time (Score:5, Insightful)
And then, just to make the point, they should have to pay not just whatever court-assessed penalties, but that amount plus 24.99% retroactively applied to the entire amount backdated from the time they finally pay all the way back to the time of the incident, just like they're always raising people's interest rates to unreasonable amounts like that even retroactively on purchases already made, and to ensure that they pay in a timely way.
And it goes without saying that reparations should be paid personally by the people who run the company, not passed along to customers.
Re:Lecture Time (Score:5, Informative)
It never occurs to anyone that the Bank, and not me, might be the one who didn't like their end of the contract...
I I got an adverse credit report and they raised my interest. The nature of the adverse report? I had used my card.
Yes, they give you cards at a certain interest rate and if you've never seen it happen, you can use them responsibly, make your payments, etc. and still end up with a "too much unsecured credit" marker from the credit agencies because they decide (after issuing the cards, when they realize you're going to use them) that you borrowed too much (i.e., that they offered you more credit than they meant to). They don't frame it (as they should) as "oops, we didn't mean to authorize that card. They think it's my burden to keep track of that, I guess. And I thought it was just my burden to make the payments.
Have I failed to keep my credit current? Nope. I managed to keep up to date even with the near crippling interest rates. But I did my financial planning based on the smaller interest rate they had originally negotiated with me, not realizing I'd be a bad customer by merely using my cards. I just had some intermediate bloat while I waited to sell my house and needed a large amount of short-term credit to cover some upgrades on the house while it was preparing for sale. I saw my rates jump from single-digits into the 20's.
Why did they do it? Because their economic models said I was a risk and because they could. But then, with all that personalization (by which they mean a "photo on the card") it never occurred them to just call me and talk to me about what was going on in my life and to find out why my balance was high. Some personalization.
First USA (bought by BankOne, then bought by Chase) and MBNA are the absolute worst. Citibank and Sears were intermediately aggressive. They're all suddenly calling me a valued customer and offering me single digit rates again now that my house got sold and I paid some of it back down.
They spend tons of money trying to detect bad customers. They spend nothing trying to detect good customers. You're right I'm bitter.
But, just to stay on topic (which your uninformed, ad hominem attack on me was not, IMO), my real point is that the credit card companies behave in a routinely holier-than-thou way about everything they do involving money, while they soak the public for infinite money. Then on top of large profits, they ask a Republican Congress for a change to the bankruptcy bill because they allege they are being soaked by bankruptcies, even though they're seeing huge profits even before the changes. To listen to these megabanks, they are the victims and we the public are the powerful perpetrators. I just don't see it. So I see no reason not to be quite harsh with them when they screw up.
It's like the old joke (Score:2)
Who is collecting the lost info? Conspiracy afoot? (Score:2)
Mere fraud is too obvious and passe.
Could be the start of something more sinister....
Be on your guard, people.
Dear CITIGROUP Custoomer... (Score:3, Funny)
Tahnk you 4 ur help in tihs imprtnt matter
Signed, CITIGROUP
makes me wonder why i even try (Score:3, Interesting)
Citigroup in Mexico (Score:3, Interesting)
And you thought losing some customers' information was serious. Ha hah.
Biometrics (Score:3, Interesting)
Nothing so paranoid as an ex-C-bank employee... (Score:4, Insightful)
What, you think there's something special about C-bank? No, they're the rule, not the exception. Every financial institutions cares just about the same amount about your data, and your life - in fact, the only money they really watch out for is the huge sums the company gets to keep for itself - THAT money (and the company's data) gets MUCH more carefully guarded!
My rule these days is, giving away information that you don't have to is like giving whiskey and car keys to a teenager. So apply for the credit card, but just write "disconnected" in the phone number box. Use several free email addresses and make sure they're evenly distributed as contact drops. Make a "mistake" in estimating your exact gross annual income, when reporting it to anybody but the IRS.
The point is not to be subversive, but just to be realistic. The information age has spawned a paper-happy beuracracy driven by bean-counters who want you life history at every other step. Check it yourself - 90% of the data that you go though life writing in little boxes is simply dropped into a filing cabinet unread, unneeded, and ignored. I've gotten driver's licences with no address (just a PO box!), paycheck stubs with no SS number on them (you can ask to get it removed), and once got Household Credit to approve "Barney the Purple Dinosaur" for a credit line of $250. (To the best of my knowledge, the address I did this at *still* gets offers for him...)
Most of the people who key the data from your form to the computer do not even speak English! In fact, the most likely method for your data to be read is for the processing center to OCR-scan (or flat picture scan) it into a computer, where the images can then be beamed to the lowest-bidding Malaysian crack monkey (anywhere in the world) who "reads" the picture of your data and keys it in. And they're feeling the pressure from machine-AI reading programs, which are able to translate more and more of your hand-writing with a higher percent-chance of confidence every day.
Bottom line, if you throw a "Jr" onto your name half the time and half not, or only use your middle initial as the fancy strikes you, you're lying to no-one but an SQL database app, and you're only doing what little is in your power to confuse would-be identity thieves; necessary in a world that will always refuse to protect you!
Re:Encrypted Backup (Score:2)
I hope they were encrypting their backups. It's only common sense to do that, right?
Actually this could be a very bad idea. Imagine trying to retrieve badly needed data from a 5-year old encrypted tape.
In this case it was data being sent to a credit bureau, rather than a backup, so it most certainly should have been encrypted.
Re:Encrypted Backup (Score:2)
Otherwise, can't you just compress the encrypted data? It wouldn't be as efficient, but it should compress some, right (especially if you carefully chose the encryption algorithm)?
Re:Damnit (Score:2)
What's funny (or sad, depending on your POV) -- that might have actually been safer!