Ham-fisted management of customer data continues, this time at Citibank, which announced yesterday that data relating to almost 4 million customers had gone missing.

The unencrypted (what are they thinking?) CitiFinancial electronic back-up tapes en route to credit agency Experian dissappeared and have not been seen or heard from since its shipment on May 2. Citigroup has begun notifying effected customers of the security breach.

Meanwhile, Exerian continues to push for electronic data transfer with all of its major data contribiutors. CitiFinancial was scheduled to make the switch to electronic transfers in July.

Via The New York Times:

Personal Data for 3.9 Million Lost in Transit

June 7, 2005
By TOM ZELLER Jr

In one of the largest breaches of data security to date, CitiFinancial, the consumer finance subsidiary of Citigroup, announced yesterday that a box of computer tapes containing information on 3.9 million customers was lost by United Parcel Service last month, while in transit to a credit reporting agency.

Executives at Citigroup said the tapes were picked up by U.P.S. early in May and had not been seen since. The tapes contained names, addresses, Social Security numbers, account numbers, payment histories and other details on small personal loans made to millions of customers through CitiFinancial's network of more than 1,800 lending branches, or through retailers whose product financing was handled by CitiFinancial's retail services division. The company said there was no indication that the tapes had been stolen or that any of the data in them had been compromised...

...Citigroup executives say the box containing the tapes was handed over to U.P.S., along with other items for shipping, on May 2, under "special security procedures" that the bank required of the courier. One of those special procedures, said Citigroup's chief operations and technology officer, Debby Hopkins, included scanning the bar code on each package, rather than scanning only the single bar code on the shipment manifest, which is a summary document listing all the packages being moved in one shipment.

According to Ms. Hopkins, just the summary document was scanned for the box, which was picked up in Weehawken, N.J., so U.P.S. was unable to track where in the delivery chain the box was lost. It was not until May 20 that an employee of Experian, the credit reporting agency that was to receive the tapes, called CitiFinancial to report that they had not arrived at Experian's data-processing center in Allen, Tex. An investigation by U.P.S. failed to locate the package.

CitiFinancial has notified the Secret Service, which is called whenever there is a compromise of financial data. The agency is investigating the incident, and CitiFinancial has begun sending letters to all 3.9 million customers advising them of the loss and offering them 90 days of free enrollment in a credit-monitoring service. Other institutions with data-loss problems have also offered free credit-monitoring services, some for as long as a year.

A spokesman for U.P.S., Norman Black, would not go into specifics on where or how the security system broke down, but said the courier was continuing its investigation. Mr. Black said blame ultimately lay with his company. "They tendered us a package and expected it to be delivered in the reliable way that we always do," he said, "and we had to go back to them and tell them that we can't find it." Mr. Black said that an exhaustive search of all U.P.S. facilities nationwide had turned up no sign of the package. "It's rare that it gets to the point where we can find no trace of it," he said.

A spokesman for Experian, Donald A. Girard, said he had never seen an instance of a shipment of this kind simply disappearing, although he added that he and other credit agencies had been encouraging financial institutions to convert from tapes to encrypted electronic delivery of data. "Experian has been actively working for quite a while with all major data contributors to convert to electronic data transference," Mr. Girard said, "to mitigate risk in this process."

Ms. Hopkins of Citigroup said that most of the company's divisions already did this, and that the CitiFinancial unit is scheduled to convert to such electronic transfers in July. She also said that the missing tapes, which were not encrypted, were created using mainframe-type computers and highly specialized hardware and software that would make.

Full article here.

-- MDT

Labels: data breech