UPS loses tapes with data of 3.9 million Citigroup customers

June 7, 2005

By Tom Zeller, Jr.

In one of the largest breaches of data security to date, CitiFinancial, the consumer finance subsidiary of Citigroup, announced yesterday that a box of computer tapes containing information on 3.9 million customers was lost by United Parcel Service last month, while in transit to a credit reporting agency.

Executives at Citigroup said the tapes were picked up by U.P.S. early in May and had not been seen since.

The tapes contained names, addresses, Social Security numbers, account numbers, payment histories and other details on small personal loans made to millions of customers through CitiFinancial's network of more than 1,800 lending branches, or through retailers whose product financing was handled by CitiFinancial's retail services division.

The company said there was no indication that the tapes had been stolen or that any of the data in them had been compromised.

It was, however, the latest in a series of recent data-security failures involving nearly every kind of institution that compiles personal information - ranging from data brokers like ChoicePoint and LexisNexis to financial institutions like Bank of America and Wachovia to the media giant Time Warner to universities like Boston College and the University of California, Berkeley.

All these institutions have reported data breaches in the last five months, affecting millions of individuals and spurring Congressional hearings and numerous bills aimed at improving security in the handling of sensitive consumer information. The fear is that Social Security numbers, when combined with a consumer's name, address and date of birth, can be used by thieves to open new lines of credit, secure loans and otherwise steal someone's identity.

Whether the recently reported breaches indicate an epidemic of data loss is unclear. Many privacy and security advocates have suggested that a California law, requiring that consumers be notified of data security breaches, has led to more confessions of data losses and increased awareness of a longstanding problem.

"I think what we're seeing is a situation that's been going on for a long time," said Beth Givens, director of the Privacy Rights Clearinghouse, an advocacy group in San Diego, "and one which has only been made visible by California's law."

The California law, which went into effect in July 2003, requires state government agencies as well as companies and nonprofit organizations - regardless of where in the country they do business - to notify California customers if the personal information maintained in their data files has been compromised.

Yet in an age of transnational banks, Internet commerce and giant data aggregators, notifying only California residents when data on consumers all over the country is potentially lost or compromised has proved to be a public relations impossibility. (ChoicePoint was widely accused of planning to notify only California residents when it learned that information on at least 145,000 Americans had fallen into the hands of thieves; the company, however, said it was planning on nationwide notification all along.)

Now, with each week bringing new reports of data loss, whether because tapes fell off the back of a U.P.S. truck or because data was electronically stolen by hackers or thieves, at least five other states - Arkansas, North Dakota, Georgia, Montana and Washington - have passed similar notification laws. As of last month, dozens of other states were considering similar laws.

In the most recent incident, Citigroup executives say the box containing the tapes was handed over to U.P.S., along with other items for shipping, on May 2, under "special security procedures" that the bank required of the courier. One of those special procedures, said Citigroup's chief operations and technology officer, Debby Hopkins, included scanning the bar code on each package, rather than scanning only the single bar code on the shipment manifest, which is a summary document listing all the packages being moved in one shipment.

According to Ms. Hopkins, just the summary document was scanned for the box, which was picked up in Weehawken, N.J., so U.P.S. was unable to track where in the delivery chain the box was lost. It was not until May 20 that an employee of Experian, the credit reporting agency that was to receive the tapes, called CitiFinancial to report that they had not arrived at Experian's data-processing center in Allen, Tex. An investigation by U.P.S. failed to locate the package.

CitiFinancial has notified the Secret Service, which is called whenever there is a compromise of financial data. The agency is investigating the incident, and CitiFinancial has begun sending letters to all 3.9 million customers advising them of the loss and offering them 90 days of free enrollment in a credit-monitoring service. Other institutions with data-loss problems have also offered free credit-monitoring services, some for as long as a year.

A spokesman for U.P.S., Norman Black, would not go into specifics on where or how the security system broke down, but said the courier was continuing its investigation. Mr. Black said blame ultimately lay with his company.

"They tendered us a package and expected it to be delivered in the reliable way that we always do," he said, "and we had to go back to them and tell them that we can't find it."

Mr. Black said that an exhaustive search of all U.P.S. facilities nationwide had turned up no sign of the package. "It's rare that it gets to the point where we can find no trace of it," he said.

A spokesman for Experian, Donald A. Girard, said he had never seen an instance of a shipment of this kind simply disappearing, although he added that he and other credit agencies had been encouraging financial institutions to convert from tapes to encrypted electronic delivery of data.

"Experian has been actively working for quite a while with all major data contributors to convert to electronic data transference," Mr. Girard said, "to mitigate risk in this process."

Ms. Hopkins of Citigroup said that most of the company's divisions already did this, and that the CitiFinancial unit is scheduled to convert to such electronic transfers in July.

She also said that the missing tapes, which were not encrypted, were created using mainframe-type computers and highly specialized hardware and software that would make it difficult - though not impossible - to extract data from them.

And Ms. Givens of the Privacy Rights Clearinghouse said, "Your everyday dumpster diver may not know what to do with these tapes, but if these tapes ever find their way into the hands of an international crime ring, I think they'll figure it out."

main page ATTRITION feedback