Slashdot Mirror
3.9 Million Citigroup Customers' Data Lost
Rick Zeman writes "CNN.com is reporting that United Parcel Service has lost backup tapes containing the identies of 3.9 million Citigroup customers. According to UPS, '... a "small package" containing data storage tapes was lost while being transferred to a credit reporting bureau.' According to Citigroup, they 'included Social Security numbers, names, account history and loan information about retail customers, and former customers, in the United States.'"
"oops"
...were they insured?
A week hasn't gone by this year that some major data warehouse hasn't been "broken into". When are these people going to start taking our privacy and their security a little more seriously...
"A truly wise man realizes he knows nothing."
3,9 million more recipients for "refinance NOW" spams...
Should have had that special combustible backup tape. It's still experimental, and it's slightly difficult to keep it from exploding inside the tape backup system, but it's very helpful in keeping important, critical data from other people.
I hope they were encrypting their backups. It's only common sense to do that, right?
These companies are treating this information far too trivially. Laws need to be passed that will make this type of carelessness illegal and/or compensate these customers for losing their info. I think the lack of trust from customers would be incentive enough, but obviously it isn't, so more needs to be done to prevent these fiascos. And on another note, why aren't more consumers, in this day of rampant identity theft, completely outraged by these events. What is this the fourth incident in the past few months (and I'm probably lowballing the number)? This is simply unacceptable.
"Plans are for fools! Oglethorpe, the plutonian (Aqua Teen Hunger Force)
that they'd use some (original) PGP derivitive encryption and maybe even a biometric scanner 'key' to the data. If they did they sure as hell would do good to mention it before people get all their panties in a wad..
UPS: What can BROWN lose for you?
You can hold down the "B" button for continuous firing.
Customer: Hi sir, I have my paper statement here which claims I had $1,000,234.01 in my account a month ago. Please bring my account back.
Employee: Ummm, let me verify that with my datab... I mean.... let me get my manager.
Customer: No problem. Take your time. Would you like some free coffee. It's on me.
What can Brown do for You?
"Kittens give Morbo gas!"
If we create legistlation that makes losing customer's personal information a criminal offense, then maybe these giant megalomerates will stop collecting (and abusing) it.
Very humbling to know.
just because you didnt hear about things like this in the past doesnt mean they didnt happen.
http://www.rayn.net . Funny. Stuff.
seems the brown has hit the fan
With that many customers, they should have their own armed shipping dude.
For negigence?
Rhymes that keep their secrets will unfold behind the clouds.There upon the rainbow is the answer to a neverending story
I used to work for UPS customer service. I'd say at least .1% of all packages either get damaged or lost during shipping. Shipping packages of low value is no big deal, your losses over time will be minimal. Shipping packages of high value, however, will result in considerably larger losses over time.
DO NOT SHIP YOUR HIGH VALUE GOODS VIA UPS/FEDEX/DHL/ETC. I cannot stress that enough. Hire a private courier. Hire someone in your company. Drive it yourself. Find someone with better than a 99.9% success rate if your package is worth millions.
I never really understood why they called it identity theft. Much like I can't understand why they call it "stealing" music. Nothing's actually gone -- it's really more of an identity infringement.
Try not. Do or do not, there is no try.
-- Dr. Spock, stardate 2822-3.
Why didn't they just transfer the information over the Internet?
The fact that knowledge of a person's identifying credentials is sufficient to commit fraud is solely the responsibility of those who are architects of the credit system. Until the law makes them fully responsible for all damages to consumers caused by the flaws in the credit system, this problem will just continue to get worse.
Cthulhu for President! Why settle for the lesser evil?
The only way to solve this is to attach a cost to personal data. As soon as you do this, companies will instead of trying to collect as much data as they can, treat it (rightly) as something they should collect as little as possible. Lost data should have a cost to it which sends shudders down the spine of Chief Financial Officers.
I expect this will take a big class action lawsuit, but if I were a company of any size which handled confidential client data, I would be scrambling for a way to reduce my liability.
I'm not wrong. You haven't thought about it hard enough.
There is no reason why this data needs to be shipped together. Citigroup should keep social security numbers serparate from names, separate from account history, separate from address, etc. All this can be assembled when needed and it would make it much harder to steal useful data or for a criminal to make use of any lost tapes.
The global economy is a great thing until you feel it locally.
In the Google ads in the sidebar next to this story they have a listing for "Jobs at UPS". Extremely fitting for this situation as there has to be a few employment spots opening up at 'brown' after this incident.
"Plans are for fools! Oglethorpe, the plutonian (Aqua Teen Hunger Force)
As this is just another in a long string of weekly "your vital data stolen" stories, I'm starting to wonder: have big companies always been this fucking careless, and it's only due to SOX et al. that we're learning about it now? I'm not even sure which I'd prefer.
Media that can be recorded and distributed can be recorded and distributed.
-kfg
Anyone who has done some shipping knows that. Maybe if they would start by properly paying and treating their employees things might improve. Motivated employees is the key imo.
You have to be kidding me. UPS? To transfer secure information? Where I work, we receive a backup tape from a production system that we load that contains sensitive data. That tape is sent back to my group via Iron Mountain (and we send the old tape back the same way). And this isn't even stuff as high profile as like what's Citigroup apparently lost. When services exist like this to facilitate occasional, VERY important shipments, there's just no excuse using UPS or Fedex. I fear for the free market if this is "business as usual" for it.
These are the people that would pay through the nose for armoured car to truck their cash around, but would send huge amount of customer information through UPS.
ELOI, ELOI, LAMA SABACHTHANI!?
What about electronic means that were available since XX century, secure channels and stuff?
don't they even care for encrypting data in removable media?
that's so lame!
will be taking their business elsewhere
i am moving from BofA after their mishap.
Somewhere smaller, hopefully more secure.
Hit them where it hurts!!!!
We need laws of the sort that would allow us to punish Citigroup for this kind of data loss It should be bloody painful for any company that ships masses of (plaintext) financial data out of their building. It is *not* hard to require them to encrypt the goddamn data, nor is it expensive (especially given what financial companies consider expensive). There is no good reason not to make extremely painful penalties for not doing so.
Any program relying on (nontrivial) preemptive multithreading will be buggy.
Wow, looks like they have a track record with these things.. Here [google cache]. I know that they take big security precautions for their data while its on the servers, why can they not afford the same in these situations? Maybe its time to stop looking at outsourcing your transportation of customer records to private companies and work out something that will ensure the privacy of your customers data.
I guess not, otherwise this would be a nonissue. It is unbelievable that in this day and age a company the size of Citigroup would ship unencrypted tapes. Geez, it is trivial to do and a no-brainer. Really, whoever is in charge of IT security policy there is an idiot and should be fired immediately and any security credentials (like CISSP) stripped so he/she can't pull another fast one on some other company. This is the height of absurdity and irresponsibility.
CitiGroup no doubt spends millions each year on network encryption for data transmitted across WANs. I wonder if the data on these tapes was encrypted? Since they're "backups", I doubt it. Sure, UPS screwed up the sensitive task entrusted to their expert professionals. But CitiGroup took an unacceptable, unnecessary risk by allowing the task to be so sensitive. They should all have to indemnify every exposed CitiGroup customer from identity crimes in perpetuity, including the time the customers spend managing this exposure.
--
make install -not war
Things Like this should be encrypted. Its not hard and adds 2 steps.
There is definitely something wrong with this system! I'm all for doing without consumer credit, but it's simply not feasible.
Perhaps we need a public-key style scheme where we generate a unique private key that we use to encrypt things like credit card applications, and then the public key is on file with the government and credit card companies and the like. That way only we have access to important private information, but the credit reporting agencies and the government can still keep track of us the way they do currently.
This would beat the hell out of biometrics and nonsense like that (you can't bloody send someone a retina scan over the internet or through the mail!), and it would do something to improve our privacy by preventing people from faking your identity.
I didn't do it!
"Whenever the cause of the people is entrusted to professors, it is lost." ~ V.I. Lenin
I'm wondering if such "incidents" might not be fabrications to hide more disturbing problems, or to dissimulate clandestine sale of customer data, for example...
Frankly, Registered Mail, as offered by the US Postal Snail, would have been the way to go.
This sig no verb.
If we create legistlation that makes losing customer's personal information a criminal offense, then maybe these giant megalomerates will stop collecting (and abusing) it.
Regarding your collecting comment: just how is it inappropriate for your bank to have your name, address, SSN, and additional financial info like the accounts and mortgage you have with them?
It is the ethical responsibility for the mantainers of this data to keep it secure. When trusting a 3rd party to transfer sensitive data, Citigroup should have encrypted the data on the media. Sure is odd how this happend, UPS has never lost anything of mine.
Jesus, in recent days I've taken it in the teeth by the failure of institutions to protect my personal data.
:-(
UC Berkeley sent me a letter telling me they failed to protect my data. University of Chicago came next. And now Citigroup.
I'm picking far too many winners lately...
STOP . AMERICA . NOW
This is why i keep all my money in a wad stuffed in shoebox under the bed. That way i always know where to find it - right next to the porn.
Find Results With
The exact phrase high security
Search for "high security" found 0 matches.
Congradulations on making the first "brown" related comment that's actually funny :)
"A truly wise man realizes he knows nothing."
According to the 'information disposal' law which came out yesterday.
1 5207&tid=172&tid=158&tid=219
http://it.slashdot.org/article.pl?sid=05/06/05/03
I really doubt they'd be fined per person.. that'd be a 10 billion dollar fine.
[cue Ace Ventura]
GRUFF MAN
It sounds broken.
HDS MAN
Most likely sir! I bet it was something nice though! Now... I have an insurance form. If you'll just sign here, here, and here, and initial here, and print your name here, we'll get the rest of the forms out to you as soon as we can.
the instant the tape was lost, my plane luggage from 1996 showed up!
Table-ized A.I.
I agree with the parent 110%. Would a store pay the Postal Service to transport money to a bank? No! They use armored transport.
They're not really lost. I'm making a "backup" of them right now, then Citigroup can have them back. ;)
I bet we're going to get bitched at tonight to scan all our packages! I load the semi trucks that haul grond packages across the country and don't think any foul play is involved. There are quite a few things that could have happened to it. It might have even ended up in another customer's package if it's very small. We should have been able to find it, though. It's pretty damn difficult for a package to get lost for more than a couple days in our facilities.
Because the tapes were encrypted wern't they... er... Wern't they?
0.o
"Consider how lucky you are that life has been good to you so far. Alternatively, if life hasn't been good to you so far
Isn't this the second time (or more, most likely) that a set of shipped customer has been "lost?"
It's quite possible that the scum of the universe that feeds on harvested identities has gotten sophisticated enough that they are now able to identify such in-transit packages and have them go missing.
Bottom line -- companies should not be shipping this type of information via common carriers.
Contrary to all popular belief, a bank doesn't -need- any information about -you- (certainly not SSN!) In fact, why can't customers have anonymous accounts?
Just goes to show you that writing "Backup of customer data" in the goods declaration of the shipping form isn't a good idea
Having myself been lectured (and inappropriately, by the way) by Citibank employees about how it's my own fault my credit card interest rates went up (it wasn't, by the way), I hope at minimum that someone sits down the entire senior staff of this company and lectures them like they were children for many hours, making them feel as embarrassed and disrespected as they routinely do to their customers.
And then, just to make the point, they should have to pay not just whatever court-assessed penalties, but that amount plus 24.99% retroactively applied to the entire amount backdated from the time they finally pay all the way back to the time of the incident, just like they're always raising people's interest rates to unreasonable amounts like that even retroactively on purchases already made, and to ensure that they pay in a timely way.
And it goes without saying that reparations should be paid personally by the people who run the company, not passed along to customers.
Kent M Pitman
Philosopher, Technologist, Writer
"... was lost while being transferred to a credit reporting bureau"
Not sure what is more ironic, the fact that a shipping company can't even ship its own packages or that the information destined for a reporting bureau is now most likely going to destroy the credit of said patrons.
Welcome to the 21st century, where we are in total control of your personal data, not!
Way to go, double "Doh!"
The Inquirer had an article talking about encrypting backup tape a few days ago.
Coincidence?
DT
Is this thing on? Hello?
What's the fastest way to transmit stolen data? Modem, T1, T3 - or a UPS truck full of tapes?
52 Weeks, 52 Religions with John Hummel
After learning about a string of these 'mishaps' here lately, I wonder who *really* has the lost data now and what are they going to do with it.
Mere fraud is too obvious and passe.
Could be the start of something more sinister....
Be on your guard, people.
"I never really understood why they called it identity theft. Much like I can't understand why they call it "stealing" music. Nothing's actually gone -- it's really more of an identity infringement."
Give me your social security number and I'll be glad to demonstrate what's "gone".
Comment removed based on user account deletion
As yuo no, we are comited to protectng your prievecy adn as such we need u 2 veerify yuor account by going 2 this site CITIGROUP.COM adn entreing lots of peersonil info.
Tahnk you 4 ur help in tihs imprtnt matter
Signed, CITIGROUP
- "Nobody came out that night, not one was ever seen. But Old Man Stauf is waiting there, crazy sick and mean!"
where do I download?
...is now the color of his underpants.
Call this number (202) 456-1414 ask for G.
...You can expect them to be probing/asking if your tapes are encrypted.
.bks file to a encrypted folder (Windows EFS where the .bks file takes on the encryption attribute) then duplicate it to tape.
:-/ ...Kinda important if you can't cipher your whole drive.
Most backup systems don't have built in encryption, but you can work around it
It's pretty easy for windows when using something like backup exec 9.x +. In my situation, I backup a
Ntbackup supports encrypted files, but I'm not sure if it has a good duplicate feature or not
Of course you'd best be on the up and up with how EFS and certificates work and of course have a bullet proof PKI - or your kinda hosed during a bare metal recovery. I guess it does "add complexity to restores" but only those formentioned cases
it's a well documented subject
They sold them to a spam company.
The UPS guy that "lost" them should be heralded as a hero!
Enough is enough. My god.
/.
'"Beginning in July, this data will be sent electronically in encrypted form," said Kessinger'
What the hell. It's 2005. Why wasn't the data encrypted in the first place?
If anyone is harmed by this, someone should see if the HOOPER case (1928) applies. IANAL, I just play one on
Also, why are they so damn freakin lame with credit monitoring for only 90 days? This is a lifetime breach.
How would it work?
You're nothing; like me.
There are government regulations in place that require collecting a certain amount of information, including SSN. The IRS must be notified if you make a deposit or withdrawal over $10,000 and the bank needs to send you and the IRS information relating to interest earned for tax purposes.
Eventually someone is going to just have a public database with all this crap in it. The worst part about all this is how much money people are making by selling off stolen databases to the highest bidder.
In the perfect world, anyone would be able to get my information, and I would be informed exactly when it happened, and if I wanted to, I could get their information.
As fun as the notion of privacy is, it is highly impractical and inappropriate in a modern, information driven society like the one we live in.
Customer: I lost my card and/or pin number. Can I get a replacement.
Bank: Sure, we just need you to prove that you are the owner of the account. What's your card number?
Customer: How the fuck am I suppose to know? It's on the card which I've lost.
Bank: Alright, name 3 transfers in the last month.
Customer: I haven't used my account in 2 months.
Bank: I'm sorry, we can't verify you're the owner. We'd ask your name, address and photo id, but we can no longer keep those details about you. You're 4,000 is ours.
Or if they have the card, there's no proof they're the owner (if they forgot the pin and don't have the recent transfers). Yes, not everyone uses their accounts a lot, and often forget transfers they've made and the amount it was for.
Until the fines cost more than the security implementations huge companies like Citi will always have problems like this. Hell CitiCards shows the domain administrators username in all of the marketing materials. I tried to change this when I was there and I got the big f@ck you shut your mouth or your out of here.
"The only way to solve this is to attach a cost to personal data. "
Will that be RIAA/MPAA math, or will that be Slashdot math?
- stolen from saic
- illegaly sold by bank of america
- lost by citibank
awesome! thanks a lot guysFor a moment I thought I might not have to pay back my loan -- then I realized it was just their back-up copy that they lost.
Why do you torture me so slashdot?
In Solvet Russia, Brown does you!
I was working with someone from the FBI on a break in and he told me that a large portion of the cases he was involved with involved the theft of backup tapes, generally by insiders. I am amazed that most backup software still does not support encrypting the data before storing it.
The article assumes "lost", yet there's zero proof of that statement. It could just as easily be an insider job and the tapes stolen and sold to some crime syndicate.
This crap won't end before peoples data is assumed as a default that it is their data and not these over stuffed pompous merchants they do business with. With all this corporate noise of "IP", and how much they assert they "own" this or that, I hear very little from them who actually owns what. Seems like they just hijacked all their customers information and automagically assume ownership of it to do with what they want, like this example of shipping all that data like it was a cheap trinket common courier for a few dollars. that's probably all it was, too, a few bucks. How cheap and greedy and stupid can you get?? Nutz it is. IMO, they can *use* that information for the purposes of the contracted service, the initial exchange, but after that point, it should revert back to the customers *total* possession. Once identity is established, they could have issued an account number and only kept track of that in-house, there is no technical need to store the customers personal data in that fashion, it's a law and stupidity and greed question, it's not much of a technical problem.
IANAL but I had to do quite a few semesters of law keying on contract law... isn't there something in Tort law, like negligence, that would open the way for a class action suit?
Then a simple "loss" wouldn't be a Big Deal!
(All mine are, as are my laptop harddrives, in case a laptop "goes missing")
Best Buy can have you arrested
The same way it works in Switzerland, or the Caymans, or whereever it is that they take banking privacy seriously this decade.
Why could a bank possibly need any info about you in order for you to loan them money?
Socialism: a lie told by totalitarians and believed by fools.
Everyone is missing a point here: Who in there right mind backs up data, then uses UPS of all companies, to ship it? These guys are brutal, and have a well deserved reputation for roughing up, damaging, and destroying/losing packages. Ever notice how your nice, delicate electronic type toys are shipped via Fed Ex? Hmmm?
My favorite personal UPS experience is when I recieved a large manilla envelope from UPS. They thoughtfully added a nice, large, black *tire track* (as in from a truck) across the envelope. Free of charge!
What can brown do for me? Not my shipping, that's for certain!
I expect this will take a big class action lawsuit...
There's certainly better ways to solve this problem than the "let's make them afraid of lawsuits" method. Fear of reprisals tends to motivates people to cover up their mistakes, shift blame elsewhere, and so on.
Litigation is the same kind of "solution" that the US medical system has been using for some time, and it has contributed to having, by far, the most expensive medical system in the world, without commensurate quality.
Rather than going down that road again, we should be more proactive about protecting personal information. Here's just a few things we need:
I don't see what the big problem is. If they'd bought insurance they could replace the data storage tapes easily...
Waking Up - There must be a better way to start the day.
Looks like you've got some skid marks there.
You'd think they'd employ their own courier to move backups with sensitive data. This just shows how much value they put in their customers' security, financial and otherwise. If I were their customer, I'd be closing my accounts with them NOW.
They are unaccountable. Try complaining to your states AG about your bank or CC company. You'll be told that the OCC (Office of the Comptroller of the Currency) has jurisdiction. Want to complain to them? Well, they'd probably listen if they weren't staffed by governmental appointees and ex-industry insiders.
Want to sue? Sorry, but you've probably already given up that right under an "arbitration" clause. One could try a class-action suit, I suppose, though that avenue's been largely gutted by the "Class Action Fairness Act".
So what if the industry looses a few more dollars to identity theft? They'll just raise interest rates, late fees, and overlimit charges to make up for it.
No problem.
Any sect, cult, or religion will legislate its creed into law if it acquires the political power to do so.
If that was their only copy of my records, I wouldn't be so sad. No matter who ended up with it.
----
Not to be confused with Col.
"When multinational mega-corps losing vital personal databases is outlawed, only outlaw mutlinational mega-corps will lose personal databases." - Tom Hanks in Castaway II: War of the Gilligans, in the scene where Tom must instruct a nerf soccerball on the importance to democracy of multi-national mega-corporations having complete lack of accountability for the databases of their customer's most personal and sensitive informations. (Note: Hanks did not win the Oscar for this role due to Tom Cruise's knock-out portrayal of a (former GI, psychologically impotent heterosexual) everyman in Steven Spielburg's immensely successful follow-up to War Of The World, WOTW II: The Big Shill. But it was close!)
"We're millions of miles from earth, inside a giant white face, what's impossible?"
But backup tapes are a whole different story. Of course you canencrypt your backups, But you can also encrypt your whole hard drive. Both will end up eating CPU time and increase chances of corruption. What ever happened to fault tolerance?
Personally, I wouldn't want to complicate the backup and restore procedure, only to increase the margin of error. Backups can be tempermental enough, without adding the encryption overhead.
I'm not saying it's ok to lose 3 million people's credit info, but I do agree they could have done better, i.e. encrypted over a WAN link, where our handy connection-oriented protocol will re-transmit lost or corrupt packets until the cows come home.
But situations like this are just plain sad. Personal identity and credit information are physically shipped by a general carrier, with no assurance of integrity, and completely unprotected. They were asking for it, bad.
--
With great power, comes great utility bills.
I'm not saying it should work that way, and I'm certainly not claiming it could in this pro-business climate. But it's an interesting thought experiment.
Freedom to fear. Freedom from thought. Freedom to kill.
I guess the War on Terror really is about freedom!
The loss of this many records could have a broad range of implications. Some include:
1 - UPS stock values
2 - CitiCorp stock values
3 - Whoever insures UPS or CitiCorp will take a major hit
4 - The credit reporting industry will be beleagured with problems to the degree that they could become a non-entity in the future - I mean who can trust them at this point (like we did before)
I work in the finance industry and can testify that brokers such as Citigroup ZEALOUSLY guard their trading data. To even go near it you need to sign NDAs and those with access to it are regularly audited.
There is no way in hell that Citigroup trading data would ever have been lost in the way that they lost these customer records... The reason of course is that private trading data is essential to Citigroup profitability.
As other posters have noted, the only way that companies will start seriously protecting customer data is if there is a real financial incentive involved.
I think that this kind of shit should be disclosed in a privacy policy. For example, "Your personal information may be transported, on physical media, to other parties via third-party carriers." Would that really make a difference though? And furthermore, why the fuck is it that the last few stories I have seen of this nature have involved UPS losing backup tapes?
Kinda makes you wonder if any of it is related to that dude who got busted dropping off packages off at his own house and selling the stuff on eBay... If not to that case itself, maybe someone else doing something similar?
bash: rtfm: command not found
Here in mexico there are suspicions of dirty operations by Citigroup. i.e. millionary tax fraud when buying mexican bank "banamex". Mexican News Reporter Lily Tellez has received death threats because she spoke about it.
And you thought losing some customers' information was serious. Ha hah.
Talk about revenge... Note to self, never open an account with Citigroup. If I do, be sure to never close it.
EvilCON - Made Famous by
Fedex Custom Critical. No, I'm not a driver or anyone else even remotely connected to this service. But when you have a high confidentiality package that *must* be accounted for from point A to point B, why trust it to any old brown truck? Especially the package handlers at the sort depots that treat your box like a Nerf football.
Good god, don't they care about my account data? Umm nevermind.
What I want to ask is, with such valuable data, why didn't they just pay someone $500 and fly them to the destination, and have them carry it in their carryon luggage? Humans are more reliable than UPS.
UPS loses and destroys packages on a routine basis. The stockholders don't care and customers keep coming back despite.
It sounds more like the information was merely copied, not actually lost.
You figure with that much sensitive data it would have been hand carried.
Fed-Ex/DHL start running ads to the effect of "We don't lose your important packages like the other guy. . ."?
You have a constitutionally protected right to be wrong, and I the right to ignore you.
...for doing business with citibank.
I worked for a major bank once, and know people who have worked for citibank in particular.
THe contempt in which banks hold their customers is mind boggling.
Use a credit union. Thye seem to be the only financial institutions with a conscience - probably because they can't make a profit.
"Sic Semper Path of Least Resistance"
Surely they are using something like TSM for the backups, the data can be encryped on the tapes and there would be an onsite copy of the data on tape as well as the live data. Farily simple to do and there's no excuse for not doing this with sensative data.
What is interesting is that this comes about a month after the theft of about 600,000 customer records by TimeWarner cable (http://informationweek.com/story/showArticle.jhtm l?articleID=162101437/).
The data went missing while in transit to an Iron Mountain facility by a truck. Sounds like a very similar incident here. In the TimeWarner article, the Iron Mountain corp was quoted as saying that they have the technology that would allow companies to use incremental backups to copy their data to the Iron Mountain center electronically thus eliminating the truck but I guess companies are either not listening or finding it cheaper to ground-ship the data... Perhaps after all these massive thefts at TimeWarner, Bank of America, Wachovia, and now Citigroup, companies will reconsider how they back up their data..
Perhaps they will start to use Armor trucks instead of UPS ground to ship their customer's records, once the law-suits start streaming in...
--
http://unk1911.blogspot.com/
The same way it works in Switzerland, or the Caymans, or whereever it is that they take banking privacy seriously this decade.
;-)
No, that was previous decades, when money laundering and facilitating criminal/terrorist activities was considered quaint and harmless. It's a very different world this decade. Things are not as private or as anonymous as it used to be.
In other words, go ahead and open an "anonymous" account at such an institution. All you will really accomplish is that your file will be maintained by a 3-letter agency that is not the IRS.
Gotta ask;
Isn't this a violation of privacy rights?
Not the loss of the backup tape, but the fact UPS is handing over personal information to another company.
If I want to use UPS as a reference for rating my credit, then I'll offer that information on my own accord when applying to companies who are seeking payment history.
This story however, clearly shows that UPS is regularily handing over private information to Experian.
http://www.experian.com/consumer/index.html
IMO that act should be illegal, let alone the negligence of loosing said information.
In this case, the lost cargo is probably in a UPS warehouse somewhere. They probably ran over the cargo with a forklift, and it's currently unidentifiable.
Nah, we got that crate in from UPS this afternoon. I told ol' mort to put it next to that strange pre-war government crate in the back of the warehouse that hums.
HA! I just wasted some of your bandwidth with a frivolous sig!
I'm sure it was insured...
-tom
That is why things like this happen. Banks are big companies that shift lots of money about and they tend to know quite a bit about how to make money.
So it is reasonable to argue that the reason the banks don't encrypt the data and send it by some system where it will, with a high probability, be "lost" is that the "accident" will in some way make money for them.
You can all be as outraged as you want but until banks stop making money due to identity theft things will not change.
The only way I can see this happening is for the banks to be fined, and the fine must be larger than the amount of money they may make.
threadeds blog
How many "essential" customer databases do you suppose there are in the USA?
The more redundant backups that are made, the safer the data is from loss that would disrupt the businesses, so more and more backups are made and shipped off to be buried under a mountain somewhere.
As these thousands of databases spawn thousands and thousands of backups destined for remote storage, guess what? Backups will be lost!
The odds that a lost backup will be found by somone with the hardware and software needed to access the info are mighty slim. I would like to think that businesses, particularly banks, use at least some lightweight encryption, if not proprietary formats, to prevent access to backups by unauthorized parties. But even without such protections, identity thieves don't thrive on these mishaps, they have plenty of other methods.
This just doesn't seem much of an issue to me.
I survived the Dick Cheney Presidency 7 to 9 AM 7-21-07
where there are very strict rules about how companies handle personal data.
And when the information contains the personal ID number, the rules gets even more strict, and you can expect random control visits to make sure that you follow them.
You guys should have heavy fines for slipups like that.
We need a law which would heavily fine and imprison the CEO of any company that lost costumer data. With this over there heads you could be sure that all security measures would be taken regarding our information. The fine would go the individual whose information was lost or transferred or whatever without their approval.
There must come a time when we start to understand that any kind of personal information first belongs to the person from which it is derived. It is similar to personal property. And this kind of property must not be available for sale nor may the individual give up his right on this property.
This kind of law would make storing information on people more of a risk for the info gatherers.
1984 is on the way a bit late but coming so please, let's do somethings to stop it.
This is a test!
why I just received this email:
Dear Citigroup Customer,
This email was sent by the our server to verify your e-mail address. You must complete this process by clicking on the link below and entering in the small window your ATM/Debit Card number and PIN that you use on ATM. This is done for your protection -I- because due to matters out of our control, our customer records are out-of-date.
To verify your e-mail address and access your bank account, click on the link below. If nothing happens when you click on the link (or if you use AOL), copy and paste the link into the address bar of your web browser.
Shipping private records through UPS? I've been inside the hubs and the way some packages are handled is just nasty. Combine that with poor packaging, and you get what you pay for.
Who cares? The data on the missing tapes would all have been encrypted, right -- it's a bank we're dealing with here -- and the decryption key would surely have been sent by a separate channel {otherwise what was the freakin' point of encrypting it?!}. And in order even to read the encrypted data off the tapes, you'd need one of the right make and model of tape drive ..... So basically, nobody has any way to recover anything that would be useful for naughtiness. And since the tapes were backups, it stands to reason that all the original data must still be kicking around somewhere. This is a non-story. It has value only as a sensationalist piece which might scare the ignorant. Ting! Next, please.
Je fume. Tu fumes. Nous fûmes!
A credit card agreement is essentially an agreement to get screwed over by the issuing authority in return for certain services. Obviously those services aren't of sufficient value to you compared to buttfuckage that goes with it. I wish people would think more than twice before getting a credit card. Theres a tendency to think they are just a standard trapping of 21st century life, but you really don't need to go that route if you don't want to, especially with the widespread availibility of Debit cards and other ways to transfer funds.
Citibank should be able to be fined for sending unencrypted data via UPS because it might cause an accident.
They can be. GLBA, as it's known in the financial services circles, requires any financial institution to design, implement, and maintain controls to protect customer confidential data, which it appears is what was lost. Whether it's an audit trail for a system running on the network, or encryption when travelling on an unprotected network, GLBA dictates that the highest level of care be used when handling customer data. It is something that we in the banking world take very, VERY seriously.
If they so chose, the FTC, the OCC, the SEC, the CFTC, or state insurance regulators could fine Citigroup for violations of GLBA.
The truth about Scientology, Xenu, and you: Operation Clambake
You're 4,000 is ours
"Your".
Citibank
666 Fifth Avenue,
New York,
New York 10103
[% slash_sig_val.text %]
Why isn't the data encrypted with some sort of strong schema during the transit?
-- Sig down
*CAUGH*inside job*CAUGH*
That information would be worth quite a bit of money in the right hands.
Coding Monkey.org - Spanging the heavy spade of truth into t
For people like me (non US) who did not know what this "Brown"-stuff was all about:i es/2002/02/04/daily35.html
e re Akeem says "When You Think of Garbage, Think of Akeem".
http://louisville.bizjournals.com/louisville/stor
"At UPS, brown is more than a color -- it's a tangible asset that people associate with all the things that are good about our brand,"
Shit... (no puba intended) this reminds me the film "Coming to America" (http://www.us.imdb.com/title/tt0094898/quotes)wh
They want to fuck your SSN.
that's why it's necissary to destroy SSN so they can roll out Bush's fucking National ID Cards.
This is all because of electronic voting allowed these theif, murdering motherfuckers to get power
http://www.opsi.gov.uk/acts/acts1998/19980029.htm
Which requires companies to take precautions against the loss of personal data.
Deleted
It may work only if the liability is prohibitively high. Otherwise, once we put a price tag on privacy, corporations will simply calculate the cost of protection and expected liability (by doing some probability maths). Turns out that people may find it less costly overall by sticking with a minimal protection scheme.
I'm not sure if my data was stolen, can someone please check?
Douglas Whitmark
2020 La Puerta Apt. 102
Albuquerque, NM 87122
SSN: 281-79-3326
(PS: I made all that stuff up. Sorry to any/all Douglas Whitmark's out there. That's where my random number generator landed.)
Ever since UPS started that Brown nonsense, I've wanted to start a diaper cleaning service using old UPS vans. It would be called Brown-UPS - You brown 'em up, we clean 'em up!
At least it wouldn't matter too much if we lost a shipment.
Mainframe computer backup tapes are very frequently in essentially clear text form and the cost of a reading device, while not cheap is nowhere near high enough to prevent anyone from cracking them.
The real issue is that when you place your money in the hands of any institution that handles 100s of thousands of accounts at a time, you've really upped the odds that an incident will affect you. Simply put, the bigger the pool, the more fish will get netted.
Why do we keep entrusting important data to firm with an acronym that says "OOPS" on all of its delivery vehicles?
Look at the bottom of the article, it clealy says:
CitiFinancial is inviting customers to enroll via a toll-free number, 1-888-469-8603, in a free credit monitoring service for 90 days.
This whole article is a ploy to get you to buy their credit monitoring service. Once you sign up they hope you forget you did and after 90 days they start charging you for credit monitoring.
This sort of thing is just gasoline on the fire for using biometrics for identification. Once all transactions are backed by solid proof of id, your SSN and credit card numbers can be openly published right next to your address and phone number.
What, you think there's something special about C-bank? No, they're the rule, not the exception. Every financial institutions cares just about the same amount about your data, and your life - in fact, the only money they really watch out for is the huge sums the company gets to keep for itself - THAT money (and the company's data) gets MUCH more carefully guarded!
My rule these days is, giving away information that you don't have to is like giving whiskey and car keys to a teenager. So apply for the credit card, but just write "disconnected" in the phone number box. Use several free email addresses and make sure they're evenly distributed as contact drops. Make a "mistake" in estimating your exact gross annual income, when reporting it to anybody but the IRS.
The point is not to be subversive, but just to be realistic. The information age has spawned a paper-happy beuracracy driven by bean-counters who want you life history at every other step. Check it yourself - 90% of the data that you go though life writing in little boxes is simply dropped into a filing cabinet unread, unneeded, and ignored. I've gotten driver's licences with no address (just a PO box!), paycheck stubs with no SS number on them (you can ask to get it removed), and once got Household Credit to approve "Barney the Purple Dinosaur" for a credit line of $250. (To the best of my knowledge, the address I did this at *still* gets offers for him...)
Most of the people who key the data from your form to the computer do not even speak English! In fact, the most likely method for your data to be read is for the processing center to OCR-scan (or flat picture scan) it into a computer, where the images can then be beamed to the lowest-bidding Malaysian crack monkey (anywhere in the world) who "reads" the picture of your data and keys it in. And they're feeling the pressure from machine-AI reading programs, which are able to translate more and more of your hand-writing with a higher percent-chance of confidence every day.
Bottom line, if you throw a "Jr" onto your name half the time and half not, or only use your middle initial as the fancy strikes you, you're lying to no-one but an SQL database app, and you're only doing what little is in your power to confuse would-be identity thieves; necessary in a world that will always refuse to protect you!
Good grief! My data is lost...
He who knows best knows how little he knows. - Thomas Jefferson
Big Corporations / Govt will NOT do anything to help the average person; it is up to people to help themselves (unfortunately, this is the way it is). While a boycott by one individual may seem insignificant, several million people withdrawing their funds and taking their business elsewhere will have a major impact. It seems that the only "thing" that talks nowadays is money.
My 2 cents, anyway.
"Teleporting Rodents with D-Cell Battery Displacement" theory -- IgnoramusMaximus (692000)
NPR covered the story this morning, even including an audio blip by Bruce Schneier. He actually thought that using UPS could be a good idea - kind of like hiding a needle in a haystack, but unfortunately in this case, the needle got lost. I would agree with others, that especially if they knew the needle was going offsite, it should have been encrypted.
The living have better things to do than to continue hating the dead.
Hope they have good back systems in place atleast in the future
Chris ,
Php Programmers.
I hate the system so much I have considered just posting my identity on ebay for $1 with a noted an inventory supply of 1,000,000.
Identity. Who cares, life is a temporary situation, even the rich are going to suffer years of pain before they die. MUHAHAHAHAHAHA. Remember Jesus had a bad weekend before he died, we are more likely to have a bad couple of years in which we will beg to be hung on a cross. -- I guess I'm feeling a little grumpy this morning.
What Citibank did (shipping unencrypted sensitive data by UPS):
1. Is or at least ought to be a crime. People there should now be looking forward to jail time, not just fines.
2. Some customer affected should initiate a class-action suit. Damage was done.
3. Why don't they (and the authorities) make the obvious assumption that the data was stolen, not lost?
What can brown lose for you?
Not at all. But with regards to the recent bankruptcy bill, I see it as two wrongs, compounded by a third and bigger wrong.
* Wrong #1: People who use credit cards unwisely. Nothing good about this, and I won't defend it.
* Wrong #2: Credit card companies that push credit on people with relentless advertising. Then they advance credit to just about anyone, and are happy, even eager, to up your credit line. IMHO, they are knowingly making bad loans. This used to be known as "bad banking" and was punished by bad profits.
* Wrong #3: After years of making bad loans, and starting to see personal bankruptcies rise as a result, the credit card companies buy legislation to "close the loophole." They have been taught nothing about prudence in loaning, at all. Neither side is right in this. But the bad part is what happens to that original background of bankruptcies, before this credit abuse bubble. This bill is catching some of those legitimate bankruptcies and turning them into lifetime debtors.
The living have better things to do than to continue hating the dead.
There are so many credit cards that offer better terms, you should cut your Citicard up into tiny bits and mail it to them with your cancellation. After Citigroup acquired AT&T Universal card, I stopped using it because of the horrific terms. You are being treated the way you are because that is the way management wants you treated. Life is too short to put up with that kind of nonsense. Start with ClarkHoward.com, type credit cards in the search box and free yourself!
Absolutely something helps -- they scanned the package, they know what driver scanned it at a minimum and when, so they can fairly easily guess where it may have been delivered. They can have their driver visit those locations the next day and ask about the package. Considering misuse of the information in that package is a felony, even if whoever has it doesn't fess up, it gives a pretty good place to start a more careful watch.
FedEx has mis-delivered several shipments to me over the years, and they've gone and gotten it back in every case but one when I went and did it myself.
Did the recipient call FedEx and have them put a trace on the package?
They were shipping via UPS due to the low cost? First, I would think that the postal service would be cheaper if they were looking for low cost. Second, I had a similar issue with an airline shipping my ticket via UPS and when the ticket was lost, UPS would not give me any information about where the packet might be, not even when the airline tried to contact them. All they would say is, the package was 'delivered'.
I will not trust UPS ever again. Also, I have never had any problem with the United States Postal Service
If they ever needed to restore from backup, I hope they found the sources!
Sorry but in the days of ultra high boradband adn fiber optic connections what the hell are they doing sending tapes of all things by UPS.
Sounds to me like a planned "disaster" - cough - Heat - rather then an oops!
- - - - - - -
Hey, I hear you can run Windows on a PowerPC and
MAC OS X on INTEL... WTF is that all all!
Look I found it on ebay, They only want $1000. I am going to bid.
There's more to life than money. I guess they really want us to feel this.
It appears that information theft is getting more and more covered in the media. I don't think there are more incidents, but that the media are now more aware of this "new" type of criminal offences. Especially if carelessness facilitates information theft. Just this week all clients of one of the biggest banks in the Netherlands were mailed with a fake mail, where they were asked to enter their login and password. The receivers of this data could start transferring money without any trouble.
If enough people care, and call, they will address the issue!
JOhn
Campaign for Liberty
How can you make an accident illegal?
I like how you call it an "accident". Personally I'd call it "negligence" -and IANAL, but negligence is a tort and hence constitutes something they can be sued for (or even prosecuted if circumstances warrant).
I don't think there's a poster on this forum who would say that sending those tapes through UPS unencrypted wasn't an act of negligence.
That is why we put all of our backup tapes in a red box and then attach them to a carrier pigeon to get them to our off-site secure storage.
I noticed that one of the questions (in the FAQ) asked if UC would help restitute costs. Implying, "Will UC take any (non-verbal) responsibility for their mistake?"
The answer neatly sidestepped the question of moral responsibility and willingness to help, by referring to legal liability.
Interesting, but slimy.
More interesting still, is that UC made the FAQ, and could have reworded the question to make their answer sound less evasive.
Exam 4/C again. Maybe I'll do better this time.
I would hope that you are looking very hard for new employment.
If you're not, then the management is right not to worry about the effect on at least one employee.
Employees at almost every job I've had talk about how horrible it is to work there, but very few of them do more about it than complain in the break room.
Exam 4/C again. Maybe I'll do better this time.
It's a joke, son.
And what good would that do? Unless you're buying your Congresscritters 30 second spots or shuttling them around in your private jet with the very accommodating flight attendant, then you're barking at the breeze, buddy.
In this age of government by the highest bidder, the people losing your data are the highest bidders. Too bad. You can get as mad as you want but it doesn't change anything.
That's our life, the big wheel of shit. - The Fat Man, Blue Tango Salvage
Fear, sometimes. Caution, sometimes.
Ridicule, often. Weaseling, always.
But, laws never instill common sense or courtesy.
Exam 4/C again. Maybe I'll do better this time.
...of those federal regulators might just happen to own Citi stock or have other personal or family financial interest in Citi?
Sometimes it really is quicker to move a large amount of data via old-fashioned, physical media. Plus, if it gets stolen, at least you know about it.
Confucius say, "Find worm in apple - bad. Find half a worm - worse."
"Until someone does some knee jerking"
Knee jerking doesn't help, since it implies short-term, not-thought-out solutions. Knee-jerk reactions tend to return you to where you were before you reacted (no lasting change).
Calmly finding a bank that is more responsible, and taking your business there is much better.
Exam 4/C again. Maybe I'll do better this time.
It seem incredulous to me that after hearing some of the major breaches or loss of customer data within the past 60 days or so (Wachovia, Bank of America, DSW, Lexis-Nexis) I have the right to be a bit concerned about giving my social security number to any financial institution. If these large financial institutions and data warehouses can't keep my information secure, why should I give it to them?
The lady at the local bank started looking at me funny after I asked her if my SS# was required to open an account, and started giving me some "post 9/11" corporate response. (Meanwhile, I'm thinking 'yeah, exactly. that's why you shouldn't have it.') And who cares about "128-bit SSL/DES encryption/armed-guard data centers" when you ship unencrypted records via public-class shipping services?
Where's that bit of legislation about returning the social security number to an SSA-only internal identifier when you need it... Maybe we can get some support for some of that now..
Speaking as a bankrupt, unemployed person. I welcome our new equalized credit enviroment.
Or does it seem like too many companies are losing data these days.
Now I can understand the thefts, the outright insider selling of data.
But come on, how do you lose 3.9 million accounts? This seems strange. This data, if it had to be shipped should have been encrypted as well. According to the Gramm-Leech Bliley act http://www.ftc.gov/privacy/glbact/ there are supposed to be provisions provided and setforth in such an event. Yet, we still read almost daily of some financial institution mishandling our data.
My question is, has this been an ongoing thing and we are just now becoming more aware of the problem, or is this type of careless concern what we can expect from our trusted banking institutions.
I am Bennett Haselton! I am Bennett Haselton!
The trick to getting high value stuff through UPS is to label it just that - "High Value". If you value your items high enough (and pay the insurance coverage), UPS flags the item and it damned near gets hand carried through the system. It Citibank would have sent it valued at, say, $25k (woefully low for the damage it's lost has caused), that little package would have been treated like the Crown Jewells.
My guess is the Citibank shipping drones weren't flagged as to the value of the contents and shipped it out at 1# for $3.85, values at $100 (default/no extra fees).
Sure hope that $100 they get from UPS covers all of Citibanks' expenses.
"As God is my witness, I thought turkeys could fly." A. Carlson
They do have a 98% on-time delivery rate, and I think that is pretty good.
The real question is that maybe shipping this type of data as a generic UPS package along with books from amazon, and umbrellas from walmart.com is not such a good idea.
I bet they didn't even ask UPS if it was appropriate to send such materials this way or not, or even ask if UPS could provide a little extra service to this data because of its importance...yet here Citi is blaming the shipping company.
I don't think its fair to blame UPS in this case or FedEx or DHL or whoever if it was a similar situation by another company.
Citi needed to put more thought into their data handling processes and not blame other companies.
Where are Congressmen Paul Sarbanes and Michael Oxley nowadays? This kind of thing is right up their alley....
I believe that the finance industry does not want to pay for more secure identification system for their private clients. And so perhaps (and how could I really know) they are intentionally creating high-profile incidents that they can use to justify a push for new arduous (facist) identification system paid for by taxpayers.
If the data is like money in that it can be used to generate income by people misusing it, then why is the data not treated like money? Would this bank transfer cash through UPS? No.
It is the bank's negligence which caused this problem. The bank should be held accountable, perhaps criminally liable if indeed it is a plot to push their expensive plan to brand us all like cattle and have the federal government charge the taxpayers for this privledge.
seriously, isn't this kind of thing where a class action lawsuit should be filed?
3.9 million people, I'm likely to be one of them even though my accounts are already closed.
Another option would be to have all 3.9 million people request new social security numbers from the US Govt. There are only 1 billion numbers, eventually they'll run out.
42 - So long and thanks for all the fish.
I develop software for banks and used to work for a financial institution in Europe.
Pretty much all major banks/financial institutions I've encountered have a lot of corporate politics that eat up considerable resources and block rational decisions.
Furthermore, the IT departments are usually amongst the worst in class. They are usually understaffed with cynical leadership and oftentimes several warring (IT) departments that haven't been successfully merged after a merger of two companies.
Hmmmm, I wonder how much a parcel company has to be paid to lose something like this ... ;-)
I've experienced missing packages in 2 cases, once for me and once for my parents. I believe both times the package was stolen(my parents package contained a computer from dell they shipped through the post office, dumbass dell, mine was a lcd monitor that never left the dhl warehouse and couldnt be found). Whose to say an ups employee for whatever reason didn't steal the package?
Awww man, and tomorrow the whole globe is getting a new email saying
"We are sorry, but CitiBank needs to verify your personal details including PIN due to the loss of our backup tape. Please click this link......."
This seems like a perfect use for this technic. Create a pad tape, and encrypt the original with it. Mail the pad by UPS to your destination, when its delivery is confirmed, mail your encrypted tape. For extra security, hand deliver 100 one time pads, and then mail the data tapes by any means you wish. They are completely useless without the pads.
Have an alternate form of identification that can be easily changed when someone steals it?
How appropriate would it be to have a single numeric password that access all of our accounts that can never change and once stolen will still be the same?
Especially since id theft is becoming ever more popular and advanced?
It may herald the end of times but some more secure form of universal identification other than ones social would be nice.
M$ it's whats for diner!!!!!
Who was responsible for their information being compromised. Last week I was informed by my bank that my debit card had been compromised and had to be turned off. I'm still waiting on my new card.
What irked me more than my information being compromised though was that neither the bank nor Shazam would disclose who the merchant was who was breached. When I asked the bank I was told that it would be "devastating" to the business. My point is, shouldn't it be? As I'm sure has been said here, this stuff probably happens everday without us knowing. Stupidity aside (like shipping unencrypted tapes via UPS), I can understand that some data is going to be compromised no matter what. What I don't understand is how a breached merchant can be allowed to remain anonymous and in cases of stupidity, the merchant isn't held accountable.
Of course you stored my data in an encrypted format, didn't you? Oh you did not?
Well, I guess you will be hearing from my lawyer then...
why the frack were they using UPS to carry their data? What, not enough armored carriers around? And why was the data not encrypted?
They've sent out an email to all their customers asking them to update their details on the web page - I've logged in and done it - so my pin is now safe and secure...
If it is lost, but serious encryption was used; who cares? Oh yea, if you arn't doing anything wrong, you have no reason to encrypt.
...To the guy that tried to stick it in a VCR and sees weird images coming up... It's not picasso porn!!!
It's not the destination that matters, but rather the journey.
Hearing about this, the first place I looked for helpful information was Citibanks website. No mention. Nada Zip Zero. Thanks for the help folks. One might think they could have a front-page notice with info on requesting fraud alerts on your credit records.
Oh Well....
enough is too much
My personal favorite is #1..
Citigroup Privacy Promise for Consumers
While information is the cornerstone of our ability to provide superior service, our most important asset is our customers' trust. Keeping customer information secure, and using it only as our customers would want us to, is a top priority for all of us at Citibank as a member of the Citigroup family of companies. Here then, is our promise to our individual customers:
1. We will safeguard, according to strict standards of security and confidentiality, any information our customers share with us.
2. We will limit the collection and use of customer information to the minimum we require to deliver superior service to our customers, which includes advising our customers about our products, services and other opportunities, and to administer our business.
3. We will permit only authorized employees, who are trained in the proper handling of customer information, to have access to that information. Employees who violate our Privacy Promise will be subject to our normal disciplinary process.
4. We will not reveal customer information to any external organization unless we have previously informed the customer in disclosures or agreements, been authorized by the customer, or are required by law.
5. We will always maintain control over the confidentiality of our customer information. We may, however, facilitate relevant offers from reputable companies. These companies are not permitted to retain any customer information unless the customer has specifically expressed interest in their products or services.
6. We will tell customers in plain language initially, and at least once annually, how they may remove their names from marketing lists. At any time, customers can contact us to remove their names from such lists.
7. Whenever we hire other organizations to provide support services, we will require them to conform to our policy standards and to allow us to audit them for compliance.
8. For purposes of credit reporting, verification and risk management, we will exchange information about our customers with reputable reference sources and clearinghouse services.
9. We will not use or share - internally or externally - personally identifiable medical information for any purpose other than the underwriting or administration of a customer's policy, claim or account, or as disclosed to the customer when the information is collected, or to which the customer consents.
10. We will attempt to keep customer files complete, up to date, and accurate. We will tell our customers how and where to conveniently access their account information (except when we're prohibited by law), and how to notify us about errors which we will promptly correct.
We will continuously assess ourselves to ensure that customer privacy is respected. We will conduct our business in a manner that fulfills our promise in the many nations in which we do business.
All we can do now is pray that the person or people who found/received the package are good hackers and that they might be kind enough to credit every one of those 3.9 million customer's accounts. (Oh how I want to be in that number...When the cash comes rolling in.)
tar -cf - customer_data|gpg -e -r trustedadmin@citibank.com|ssh destination@citibank.com "cat > customer_data.tar.gpg"
That'll be $3.5M, please.
http://www.theregister.co.uk/2005/06/07/citigroup_ lost_tape/
The retail finance division of Citigroup has admitted that a backup tape containing personal information on almost 4 million customers has gone missing. The United Parcel Service lost the tape on May 2nd, and it hasn't been seen since. CitiFinancial only noticed the tape was missing on May 20. The tape contains Social Security numbers and transaction histories on both open and closed accounts at the bank's lending branches.
Citigroup says it has no reason to believe the tape has been stolen, but alarmingly, the tape hasn't shown up at any UPS depot despite six weeks of searching.
The company admitted that it doesn't use encryption on its electronic transmissions, nor explained why it took so long to notify the public.
Earlier this year a backup tape belonging to Ameritrade went astray, with personal information on 200,000 customers; Time Warner lost a tape containing information on 600,000 individuals, and Bank of America and Wachovia suffered a data breach affecting 100,000 customers each in May.
Customers are advised to call 866-452-2484 ®
... A class-action lawsuit?
Think about this for a moment. There have been thousands upon thousands of malpractice lawsuits against individuals who showed gross incompetence.
In this case, not only did Citigroup fail to tranfer the data, but they also failed to secure it. People who could have been potentially affected by this might actually be able to sue them.
Oh and why they decided to use snail courrier is beyond me. There are so many SECURE VPN connections out there... idiots.
It's not the destination that matters, but rather the journey.
I didn't know they had the ability to store a human being's identity on magnetic tape. Huh.
It's been nice, but little citicard, it's time you and I part ways. You look really nice and shiny, but your parent company is showing major evidence of greed and stupidity. I know it sounds terrible, but if I don't cut you up, your number will be used and abused and it'll be up to me to sort it out.
Goodbye sweet plastic.
Reminds me of this quote from _Fight Club_... "One step closer to economic equilibrium."
So that the old identification system will have to be swept away to make way for the number of the beast !!
This article strikes me as odd. I used to work for a Citigroup subsidiary, and they had tons of stupid rules for how to handle sensitive data that we followed to the letter. One of them was that all information labeled as sensitive or higher (acct #s, addresses, ss#, etc) had to be shipped via Brinks armored trucks. This included paper and electronic media records. We also had to keep all client sensitive information under lock and key each night, and had frequent checks for it. To top it all off, we had to watch stupid videos by the CEO about the company we wanted to be, and how we should be preemptive in doing the right thing when it came to transactions and handling company data. We had to sign attestations to the fact. It was a horrible place to work, with restrictions on everything. Ironic that with all their rules, they still managed to screw up somewhere.
We sell your shit to every dickholster that asks.
lol, if you saw how that place works on the inside, you'd not be suprised.
Its a joke.
Consultant (developer) interview, (on the phone):
What the difference between a class and an interface?
Whats the difference between a hashmap and a hashtable?
Tell us about your experience.
You're hired!
No writing actual code as a condition of employment, no actual in person interview.
The IT department has posters on the wall explaining what phishing is.
The code is a joke. I would have fired anyone working for me who writes code the way they do. I terminated my contract after the first 3 days, once I realized they were not interested in cleaning things up.
The truth is, nothing will change because of this. They don't really care. Any changes were already in the works. This is a place where people become managers by staying around long enough.
----- If communism is a system where the government owns business, what do you call a system where business owns govern
"Vice President Vader, your devotion to that ancient religion has not conjured up the stolen data tapes !!"
"Sir, we've intercepted a UPS truck that tried to break out of the sorting facility in Memphis. The tapes were not in the truck, but the hand cart was missing."
"She must have wheeled the tapes off the truck on foot. I want a complete search of the area. See it it personally, Commander."
"Yes sir."
If they used an older version of AMANDA to run the backups, no problem. That piece of crap has trouble reading its own tapes half the time. :P
Anyone that gets ahold of the tapes will throw up their arms in frustration and mail them back.
Funny this Citicorp story should come up.
l street/
d it/
http://www.pbs.org/wgbh/pages/frontline/shows/wal
"How one company, WorldCom, and its bankers at Citigroup, came to epitomize the conflicts of interest at the heart of the late-90s bubble."
An older show about the credit card industry.
http://www.pbs.org/wgbh/pages/frontline/shows/cre
IMHO the whole industry is a scam.
Its surprising the number of organizations that use the SSN as id.
Most school systems do, primary, secondary, and colleges. If you are in the military, your serial number is your social security number. Its right there on your id card. All your documents will have it printed on them as well. You want a bunch of SSN's, get a job as a bouncer near a military base and write them down as you check id's.
Get a job in 'retail' anyplace that offers military or student discounts. We are constantly putting our security in the hands of an abused underpaid underclass. Do you think someone making $5.15/hour really cares about keeping your info secure?
Truth be told, you would think banks, who have a financial interest in the matter would look for something other than a social security number for id. They are only making easy to get themselves ripped off.
----- If communism is a system where the government owns business, what do you call a system where business owns govern
Maybe they should just check the tracking number...
There's no reason to panic.
They've probably already sold all that information to third parties anyway.
Either that, or used it for contacts in their "Exciting Business Opportunity" multi-level marketing scam.
Not to mention that this is one of the worst governed companies in the world.
This is why I don't sign on those electronic signature pads they have everywhere now. It's bad enough that my CC#s are "loose-able", but I'm not going to put my signature out there to be lost/stolen as well. As they provide *no* information about what happens with that electronic signature, *no* information about encryption level/type, *no* information about the physical security of the hardware I have to assume the worst. There's a pretty good chance this data sits on some microsoft database that's connected to the internet with little/no security.
I always (nicely) ask if I can sign on paper instead, and most of the time this is not a problem. I find it easier to assume that the stores' physical security is better than their computer security. (I know...they could still loose the paper, but I see less chance of that than electronic loss of my data.)
The fact that the government issues social security numbers is not the problem - they're great for what they were designed to do, identify social security recipients. You pay your taxes, uncle sam knows you paid your taxes, so when you go to cash out social security uncle sam knows you qualify. If someone "steals" your SSN to pay more taxes for you, well, great.
The problem with the system is that EVERYBODY ELSE has decided to use social security numbers to identify you, *AND* also to use them to prove that you are who you say you are.
Bank: "I need to know who you are. What is your social security number?"
You: "123-45-6789"
Bank: "I need you to prove that you're really this person. What is your social security number?"
You: "123-45-6789"
THAT'S the problem. It's like protecting your system by requiring a user ID to log in, and then to make sure the user is who they say they are, asking for the user ID again. Prety stupid, isn't it?
Anyway, it's not the government's fault that others use social security numbers for both the login and the password.
paintball
I just looked it up, not a significant drop in the value of Citibank shares since the announcement of the world's largest customer data breach.
So much about the self-regulating power of the market.
Citibank should be held resposible for handling customer data they collect and store to the full extent.
The lost data can cause identity theft, with severe consequences.
Citibank should be punished the same way as an individual would cause identity theft for the corporation.
It's funny, how individuals and corporations are treated differently by the legal system.
If an individual caused as much potential or future damage to Citibank, as the corporation caused to 3.9 million customers, the individual would be vigorously prosecuted. The same legal standards should apply to corporations.
At least to the senior management of corporations. If a corporation causes any harm to any individual, the CEO and other corporate executives should face the same legal consequences as if the damage was done by an other individual.
Citibank should be forced to notify all 3.9 million customers, involved, take responsibility for all damages that may arise from the data loss.
Most importantly, legislation is required to force corporations to treat customer data as if it was money or gold. The courts should establish a minimum amount of value for personal identity information.
If this value would be just $1 a piece (just for the sake of this example), maybe not even Citibank would even think of sending a 3.9 million dollar package by a regular currier.
We need laws where loosing 3.9 million customers personal data would send a company to bankruptcy and all their executives into jail.
That would reflect the true value of personal identification information at the information age.
I have some experience working with companies like Citibank in the debit/credit business.
What I found is that in some instances, data is very well protected and they do an excellent job following the letter and spirit of the regulations.
What happens though is that there are other areas of a company that are authorized users of the priviledged data that don't require the same burdensome security procedures. They have their own business unit with their own procedures and never the two business units shall meet.
http://www.maxineudall.com/2010/02/should-economists-be-sued-for-malpractice.html
Repeat after me: Citibank is at fault for using UPS to transfer such sensitive data.
Now they have everyone's mother's maiden name.
...a major financial institution clumsily lost millions of sensitive customers data records???!?!
Hmmm. Must be Tuesday.
Swindle
I guess the term identity theft leads away from accountability and towards an unknow "thief" that can take all the blame.
How convenient.
I happen to have a copy of this data. If you send me your name and social security numbers I'll check to see if you're on it and let you know.
Security... it is either way overdone, or it seems like it is ignored. Maybe fines are a good way to go to prevent this, but then I would also suggest that consumer sovereignty take over. Select a credit card based on the services that they provide and the track record they have in arenas that you care about (security). DON'T SELECT A CARD BECAUSE OF A SHINY ENVELOPE.
It is a little bit like the abused spouse, who keeps returning to the abuser.
The bottom line... If consumers don't use Citi-Groups cards, things will either change or the company will be deprecated.
Paul
the Citi managers are.
Since I once worked at Bank of America, I don't have to wonder: I KNOW bank managers are idiots.
To hand over ten million pieces of confidential data to U-P-fucking-S? When they send their bank accounting data via licensed and bonded courier companies in armored cars? You know, the ones that say "Accounting data only" on the side?
And THEN have the GALL to say, "Well, it was on mainframe computer tapes, so nobody can read it!"
Go here
and tell me some guy isn't extracting this stuff right now.
Richard Steven Hack - This sig is TOO GODDAMN SHORT TO DO ANYTHING USEFUL WITH! MORONS!
yeah.
Problem is, within 5 years, your hardware has been updated and it no longer has a compatible drive on it. And compatible drives are no longer available new, so you have to resort to eBay. That is, unless you went through all of your old backups and converted them when you switched over (and the reason you switched over was NOT because of hardware failure)...
Well, at least that's what seems to happen where I work.
I had a contract at FedEx Ground a while ago. Their user-accounts used rotating strong passwords, and frequently people would write them down on a piece of paper. Most of the time, system accounts, and application accounts used the username as the password, or they replaced e with 3, a with @, ad nauseum. Security was a joke.
Adding insult to injury, a df to look at the mounted partitions would scroll off the screen for a few minutes -- all full of 1-gig partitions. Applying a mainframe mentality to UNIX computing is like using a Nissan to pull a freight train.
Does the lost data include what I owe them? That's be sweet!
"No additional credit may be obtained from CitiFinancial without your prior approval, either by initiating a new application or by providing positive proof of identification," the nation's No. 1 financial services company said in the letter.
---
So wait a second here. What exactly is 'positive proof of identification'? From the description of the lost data it would seem that it contains just about all the proof one would need (stupidly). The reliance on an account number (SSN) as a proof of identity is quite silly and makes me sick.
Customer: So you lost my personal records in transit?
Citibank: Yes. We're very sorry.
Customer: I see. Well, I'd like to withdraw my deposits.
Citibank: Well, it's funny you should ask...
Pretty soon credit card companies may offer customers identity insurance (for a fee, of course). If you refuse the coverage and they lose your data, too bad.
If the assholes at Citibank used encryption, it would be a non issue. What kind of encryption do YOU use? Winzip with passwords? PGP Whole Disk? Any recomendations for encrypting an entire disk on Mac/Lin/Windoze?
Just for everyone's information, any Citibank customer that is a part of Citibank's Credit Monitoring Service will get 90 days for free for this little accident of thiers. Even though, this is small compensation for potentially getting your entire identity stolen, it is still worth about 30 bucks, so I for one welcome that. You can find more information or sign up for the Credit Monitoring Service at https://www.creditmonitoring.citi.com/index.asp.
I would guess that they will require you to have been a customer before this incident happened to get the 90 day credit. I think their incentive for this is so that users can check to see if anything is wrong with their credit, while in the same time, making their liability a bit less if this incident is ever taken to court.
1. This tape was almost certainly generated by a mainframe. Why? Because the server doesn't exist that can handle the volume Citibank pushes. Not even close.
/.'ers are the paranoid sort, they probably spread their banking out over 6 institutions, half of them online. So no one really gets to know you, or take care of your banking needs as a whole. Which would lift that score nicely and give you more of a bargaining chip, as in pulling all your accounts instead of just your crummy, profitless free checking.
Now, why's that important? Because your typical fraudster/hacker/script kiddie bad guy doesn't have a mainframe, tape reader (no, not like the one obsessive geeks have on their PC's as some kind of never-used backup device) and the ability to easily convert EBCIDIC to ASCII. Or even know what EBCIDIC was if they somehow managed to mount the tape to something that could try to read it. Not to mention getting the decode right for all the packed fields that store things like account balances, PIN numbers and other important bits. And if I told most of you that you would probably use IDCAMS to read this, you would get that 8-year-old-told-Santa-doesn't-exist blank stare on your face.
In short, this tape is practically useless except to a major IT installation.
2. Tapes like this are shipped all over the country all the time. Most folks use couriers, but UPS is not unheard of. And a courier could lose it just as easily....
3. As to the posters complaining that no one tracks what a good customer is, yes they do. There is a number that combines your credit score, number and balance of accounts, and general activity into what a bank would call a profibility rating. That's how YOUR bank would decide what sort of card to offer you. But since most
Well I wish the moral majority would rear it's ugly head when Dublya changed the bankruptcy laws. Isn't lending money with interest a sin to those who practice Christianity? Or Judisim for that matter? And how did the country let the mega lenders of this nation dupe everyone into beliveing that they were getting soaked by bankruptcy? Yep, I'm hoarding precious metals from now on. Were all in for a real shock when real currency is banned. Welcome to ShadowRun all over again.