3.9 Million Citigroup Customers' Data Lost

Rick Zeman writes "CNN.com is reporting that United Parcel Service has lost backup tapes containing the identies of 3.9 million Citigroup customers. According to UPS, '... a "small package" containing data storage tapes was lost while being transferred to a credit reporting bureau.' According to Citigroup, they 'included Social Security numbers, names, account history and loan information about retail customers, and former customers, in the United States.'"

As a UPS employee...

[ap0]

I bet we're going to get bitched at tonight to scan all our packages! I load the semi trucks that haul grond packages across the country and don't think any foul play is involved. There are quite a few things that could have happened to it. It might have even ended up in another customer's package if it's very small. We should have been able to find it, though. It's pretty damn difficult for a package to get lost for more than a couple days in our facilities.

Re:You break it, you buy it.

[DJStealth]

From TFA:

"We deeply regret this incident, which occurred in spite of the enhanced security procedures we require of our couriers," Kevin Kessinger, executive vice president of Citigroup (Research), said in a statement. "Beginning in July, this data will be sent electronically in encrypted form," said Kessinger, who heads the company's consumer finance business in North America.

The above quote implies that currently it is not in encrypted form.

Re:Inappropriate for your bank to have your info?

[demaria]

There are government regulations in place that require collecting a certain amount of information, including SSN. The IRS must be notified if you make a deposit or withdrawal over $10,000 and the bank needs to send you and the IRS information relating to interest earned for tax purposes.

Ex-Citi Employee

[silconous]

Until the fines cost more than the security implementations huge companies like Citi will always have problems like this. Hell CitiCards shows the domain administrators username in all of the marketing materials. I tried to change this when I was there and I got the big f@ck you shut your mouth or your out of here.

Re:Nice to know where their priorities lie

[silentbozo]

Which credit card company didn't take a fraud
complaint seriously?

All of them don't. If you get your number stolen, they just issue you a new one. Unless there's a mass compromise, they ignore the thieves, as (to them) it's not worth the time and effort to go after them, even if you give them lots of leads. After all, they aren't out the money, and neither are the banks involved (there's an issuing bank - your bank, and the merchant bank - the bank that processes the payment) - the people who get screwed are the merchants.

They Can Be Fined..

[camusflage]

Citibank should be able to be fined for sending unencrypted data via UPS because it might cause an accident.

They can be. GLBA, as it's known in the financial services circles, requires any financial institution to design, implement, and maintain controls to protect customer confidential data, which it appears is what was lost. Whether it's an audit trail for a system running on the network, or encryption when travelling on an unprotected network, GLBA dictates that the highest level of care be used when handling customer data. It is something that we in the banking world take very, VERY seriously.

If they so chose, the FTC, the OCC, the SEC, the CFTC, or state insurance regulators could fine Citigroup for violations of GLBA.

Re:*blinks*

[Anonymous Coward]

The trick is not to use Iron Mountain. They took over the smaller, excelent company we used to use and turned them into, well, Iron Mountain. Missing tapes, wrong tapes. We were on a first-name basis with the guys at the storage facility from where we had to call them every afternoon to locate our tapes. The final straw came when we recieved someone elses tapes. We now use a small company located in Birmingham to handle our tapes. They handle everything so well we barely notice them. We just need to hope that Iron Mountain don't buy them up..

What good would it do?

[HangingChad]

And on another note, why aren't more consumers, in this day of rampant identity theft, completely outraged by these events.

And what good would that do? Unless you're buying your Congresscritters 30 second spots or shuttling them around in your private jet with the very accommodating flight attendant, then you're barking at the breeze, buddy.

In this age of government by the highest bidder, the people losing your data are the highest bidders. Too bad. You can get as mad as you want but it doesn't change anything.

Re:How often does this happen now?

[GizmoToy]

Yes, of course... but that doesn't mean the server containing all that information has to be sitting off the publicly accessable internet.

UC has a number of servers behind a specific firewall and on a private portion of the LAN that cannot be accessed from the internet. I know because I have to travel to campus daily to use several of them. Why this server wasn't in that group, I guess would have been the more appropriate question.

Re:Lecture Time

[NetSettler]

lemme guess: someone's bitter becuase they signed a contract...

It never occurs to anyone that the Bank, and not me, might be the one who didn't like their end of the contract...

I I got an adverse credit report and they raised my interest. The nature of the adverse report? I had used my card.

Yes, they give you cards at a certain interest rate and if you've never seen it happen, you can use them responsibly, make your payments, etc. and still end up with a "too much unsecured credit" marker from the credit agencies because they decide (after issuing the cards, when they realize you're going to use them) that you borrowed too much (i.e., that they offered you more credit than they meant to). They don't frame it (as they should) as "oops, we didn't mean to authorize that card. They think it's my burden to keep track of that, I guess. And I thought it was just my burden to make the payments.

Have I failed to keep my credit current? Nope. I managed to keep up to date even with the near crippling interest rates. But I did my financial planning based on the smaller interest rate they had originally negotiated with me, not realizing I'd be a bad customer by merely using my cards. I just had some intermediate bloat while I waited to sell my house and needed a large amount of short-term credit to cover some upgrades on the house while it was preparing for sale. I saw my rates jump from single-digits into the 20's.

Why did they do it? Because their economic models said I was a risk and because they could. But then, with all that personalization (by which they mean a "photo on the card") it never occurred them to just call me and talk to me about what was going on in my life and to find out why my balance was high. Some personalization.

First USA (bought by BankOne, then bought by Chase) and MBNA are the absolute worst. Citibank and Sears were intermediately aggressive. They're all suddenly calling me a valued customer and offering me single digit rates again now that my house got sold and I paid some of it back down.

They spend tons of money trying to detect bad customers. They spend nothing trying to detect good customers. You're right I'm bitter.

But, just to stay on topic (which your uninformed, ad hominem attack on me was not, IMO), my real point is that the credit card companies behave in a routinely holier-than-thou way about everything they do involving money, while they soak the public for infinite money. Then on top of large profits, they ask a Republican Congress for a change to the bankruptcy bill because they allege they are being soaked by bankruptcies, even though they're seeing huge profits even before the changes. To listen to these megabanks, they are the victims and we the public are the powerful perpetrators. I just don't see it. So I see no reason not to be quite harsh with them when they screw up.

Trick of the trade

[R2.0]

The trick to getting high value stuff through UPS is to label it just that - "High Value". If you value your items high enough (and pay the insurance coverage), UPS flags the item and it damned near gets hand carried through the system. It Citibank would have sent it valued at, say, $25k (woefully low for the damage it's lost has caused), that little package would have been treated like the Crown Jewells.

My guess is the Citibank shipping drones weren't flagged as to the value of the contents and shipped it out at 1# for $3.85, values at $100 (default/no extra fees).

Sure hope that $100 they get from UPS covers all of Citibanks' expenses.