Slashdot Mirror
3.9 Million Citigroup Customers' Data Lost
Rick Zeman writes "CNN.com is reporting that United Parcel Service has lost backup tapes containing the identies of 3.9 million Citigroup customers. According to UPS, '... a "small package" containing data storage tapes was lost while being transferred to a credit reporting bureau.' According to Citigroup, they 'included Social Security numbers, names, account history and loan information about retail customers, and former customers, in the United States.'"
"oops"
A week hasn't gone by this year that some major data warehouse hasn't been "broken into". When are these people going to start taking our privacy and their security a little more seriously...
"A truly wise man realizes he knows nothing."
3,9 million more recipients for "refinance NOW" spams...
These companies are treating this information far too trivially. Laws need to be passed that will make this type of carelessness illegal and/or compensate these customers for losing their info. I think the lack of trust from customers would be incentive enough, but obviously it isn't, so more needs to be done to prevent these fiascos. And on another note, why aren't more consumers, in this day of rampant identity theft, completely outraged by these events. What is this the fourth incident in the past few months (and I'm probably lowballing the number)? This is simply unacceptable.
"Plans are for fools! Oglethorpe, the plutonian (Aqua Teen Hunger Force)
UPS: What can BROWN lose for you?
You can hold down the "B" button for continuous firing.
Customer: Hi sir, I have my paper statement here which claims I had $1,000,234.01 in my account a month ago. Please bring my account back.
Employee: Ummm, let me verify that with my datab... I mean.... let me get my manager.
Customer: No problem. Take your time. Would you like some free coffee. It's on me.
What can Brown do for You?
"Kittens give Morbo gas!"
If we create legistlation that makes losing customer's personal information a criminal offense, then maybe these giant megalomerates will stop collecting (and abusing) it.
just because you didnt hear about things like this in the past doesnt mean they didnt happen.
http://www.rayn.net . Funny. Stuff.
seems the brown has hit the fan
With that many customers, they should have their own armed shipping dude.
For negigence?
Rhymes that keep their secrets will unfold behind the clouds.There upon the rainbow is the answer to a neverending story
I used to work for UPS customer service. I'd say at least .1% of all packages either get damaged or lost during shipping. Shipping packages of low value is no big deal, your losses over time will be minimal. Shipping packages of high value, however, will result in considerably larger losses over time.
DO NOT SHIP YOUR HIGH VALUE GOODS VIA UPS/FEDEX/DHL/ETC. I cannot stress that enough. Hire a private courier. Hire someone in your company. Drive it yourself. Find someone with better than a 99.9% success rate if your package is worth millions.
I never really understood why they called it identity theft. Much like I can't understand why they call it "stealing" music. Nothing's actually gone -- it's really more of an identity infringement.
Try not. Do or do not, there is no try.
-- Dr. Spock, stardate 2822-3.
The fact that knowledge of a person's identifying credentials is sufficient to commit fraud is solely the responsibility of those who are architects of the credit system. Until the law makes them fully responsible for all damages to consumers caused by the flaws in the credit system, this problem will just continue to get worse.
Cthulhu for President! Why settle for the lesser evil?
The only way to solve this is to attach a cost to personal data. As soon as you do this, companies will instead of trying to collect as much data as they can, treat it (rightly) as something they should collect as little as possible. Lost data should have a cost to it which sends shudders down the spine of Chief Financial Officers.
I expect this will take a big class action lawsuit, but if I were a company of any size which handled confidential client data, I would be scrambling for a way to reduce my liability.
I'm not wrong. You haven't thought about it hard enough.
There is no reason why this data needs to be shipped together. Citigroup should keep social security numbers serparate from names, separate from account history, separate from address, etc. All this can be assembled when needed and it would make it much harder to steal useful data or for a criminal to make use of any lost tapes.
The global economy is a great thing until you feel it locally.
"Should have had that special combustible backup tape."
Or just encrypted the data before sending people's data in the mail. I have always heard to not send cash in the mail for this reason.
I hope they were encrypting their backups. It's only common sense to do that, right?
Actually this could be a very bad idea. Imagine trying to retrieve badly needed data from a 5-year old encrypted tape.
In this case it was data being sent to a credit bureau, rather than a backup, so it most certainly should have been encrypted.
"They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety."
In the Google ads in the sidebar next to this story they have a listing for "Jobs at UPS". Extremely fitting for this situation as there has to be a few employment spots opening up at 'brown' after this incident.
"Plans are for fools! Oglethorpe, the plutonian (Aqua Teen Hunger Force)
As this is just another in a long string of weekly "your vital data stolen" stories, I'm starting to wonder: have big companies always been this fucking careless, and it's only due to SOX et al. that we're learning about it now? I'm not even sure which I'd prefer.
Media that can be recorded and distributed can be recorded and distributed.
-kfg
You have to be kidding me. UPS? To transfer secure information? Where I work, we receive a backup tape from a production system that we load that contains sensitive data. That tape is sent back to my group via Iron Mountain (and we send the old tape back the same way). And this isn't even stuff as high profile as like what's Citigroup apparently lost. When services exist like this to facilitate occasional, VERY important shipments, there's just no excuse using UPS or Fedex. I fear for the free market if this is "business as usual" for it.
These are the people that would pay through the nose for armoured car to truck their cash around, but would send huge amount of customer information through UPS.
ELOI, ELOI, LAMA SABACHTHANI!?
don't they even care for encrypting data in removable media?
that's so lame!
will be taking their business elsewhere
i am moving from BofA after their mishap.
Somewhere smaller, hopefully more secure.
Hit them where it hurts!!!!
Mod parent up....
The funny thing is that in TFA, it said "starting July, data will be transmitted in an encrypted form, electronically."
I have a sinking feeling that the data on the tapes wasn't encrypted, even though it would have been trivial to do so.
What are these guys thinking?
We need laws of the sort that would allow us to punish Citigroup for this kind of data loss It should be bloody painful for any company that ships masses of (plaintext) financial data out of their building. It is *not* hard to require them to encrypt the goddamn data, nor is it expensive (especially given what financial companies consider expensive). There is no good reason not to make extremely painful penalties for not doing so.
Any program relying on (nontrivial) preemptive multithreading will be buggy.
Wow, looks like they have a track record with these things.. Here [google cache]. I know that they take big security precautions for their data while its on the servers, why can they not afford the same in these situations? Maybe its time to stop looking at outsourcing your transportation of customer records to private companies and work out something that will ensure the privacy of your customers data.
I guess not, otherwise this would be a nonissue. It is unbelievable that in this day and age a company the size of Citigroup would ship unencrypted tapes. Geez, it is trivial to do and a no-brainer. Really, whoever is in charge of IT security policy there is an idiot and should be fired immediately and any security credentials (like CISSP) stripped so he/she can't pull another fast one on some other company. This is the height of absurdity and irresponsibility.
Goodbye hardware compression...
True, you could compress them before encryption, but that's more host cpu load. If anyone gets hold of my backup tapes then, well - if they have the same success getting anything back off them as I do, then I'm not worried at all.
CitiGroup no doubt spends millions each year on network encryption for data transmitted across WANs. I wonder if the data on these tapes was encrypted? Since they're "backups", I doubt it. Sure, UPS screwed up the sensitive task entrusted to their expert professionals. But CitiGroup took an unacceptable, unnecessary risk by allowing the task to be so sensitive. They should all have to indemnify every exposed CitiGroup customer from identity crimes in perpetuity, including the time the customers spend managing this exposure.
--
make install -not war
There is definitely something wrong with this system! I'm all for doing without consumer credit, but it's simply not feasible.
Perhaps we need a public-key style scheme where we generate a unique private key that we use to encrypt things like credit card applications, and then the public key is on file with the government and credit card companies and the like. That way only we have access to important private information, but the credit reporting agencies and the government can still keep track of us the way they do currently.
This would beat the hell out of biometrics and nonsense like that (you can't bloody send someone a retina scan over the internet or through the mail!), and it would do something to improve our privacy by preventing people from faking your identity.
I didn't do it!
"Whenever the cause of the people is entrusted to professors, it is lost." ~ V.I. Lenin
What's funny (or sad, depending on your POV) -- that might have actually been safer!
Frankly, Registered Mail, as offered by the US Postal Snail, would have been the way to go.
This sig no verb.
If we create legistlation that makes losing customer's personal information a criminal offense, then maybe these giant megalomerates will stop collecting (and abusing) it.
Regarding your collecting comment: just how is it inappropriate for your bank to have your name, address, SSN, and additional financial info like the accounts and mortgage you have with them?
It is the ethical responsibility for the mantainers of this data to keep it secure. When trusting a 3rd party to transfer sensitive data, Citigroup should have encrypted the data on the media. Sure is odd how this happend, UPS has never lost anything of mine.
Jesus, in recent days I've taken it in the teeth by the failure of institutions to protect my personal data.
:-(
UC Berkeley sent me a letter telling me they failed to protect my data. University of Chicago came next. And now Citigroup.
I'm picking far too many winners lately...
STOP . AMERICA . NOW
This is why i keep all my money in a wad stuffed in shoebox under the bed. That way i always know where to find it - right next to the porn.
Find Results With
The exact phrase high security
Search for "high security" found 0 matches.
Congradulations on making the first "brown" related comment that's actually funny :)
"A truly wise man realizes he knows nothing."
[cue Ace Ventura]
GRUFF MAN
It sounds broken.
HDS MAN
Most likely sir! I bet it was something nice though! Now... I have an insurance form. If you'll just sign here, here, and here, and initial here, and print your name here, we'll get the rest of the forms out to you as soon as we can.
the instant the tape was lost, my plane luggage from 1996 showed up!
Table-ized A.I.
I agree with the parent 110%. Would a store pay the Postal Service to transport money to a bank? No! They use armored transport.
I bet we're going to get bitched at tonight to scan all our packages! I load the semi trucks that haul grond packages across the country and don't think any foul play is involved. There are quite a few things that could have happened to it. It might have even ended up in another customer's package if it's very small. We should have been able to find it, though. It's pretty damn difficult for a package to get lost for more than a couple days in our facilities.
Because the tapes were encrypted wern't they... er... Wern't they?
0.o
"Consider how lucky you are that life has been good to you so far. Alternatively, if life hasn't been good to you so far
Isn't this the second time (or more, most likely) that a set of shipped customer has been "lost?"
It's quite possible that the scum of the universe that feeds on harvested identities has gotten sophisticated enough that they are now able to identify such in-transit packages and have them go missing.
Bottom line -- companies should not be shipping this type of information via common carriers.
Obviously, the solution if you want the compression in the hardware is to put the encryption in the hardware too.
Otherwise, can't you just compress the encrypted data? It wouldn't be as efficient, but it should compress some, right (especially if you carefully chose the encryption algorithm)?
"[Regarding the 'cloud,'] ownership was what made America different than Russia." -- Woz
Just goes to show you that writing "Backup of customer data" in the goods declaration of the shipping form isn't a good idea
Having myself been lectured (and inappropriately, by the way) by Citibank employees about how it's my own fault my credit card interest rates went up (it wasn't, by the way), I hope at minimum that someone sits down the entire senior staff of this company and lectures them like they were children for many hours, making them feel as embarrassed and disrespected as they routinely do to their customers.
And then, just to make the point, they should have to pay not just whatever court-assessed penalties, but that amount plus 24.99% retroactively applied to the entire amount backdated from the time they finally pay all the way back to the time of the incident, just like they're always raising people's interest rates to unreasonable amounts like that even retroactively on purchases already made, and to ensure that they pay in a timely way.
And it goes without saying that reparations should be paid personally by the people who run the company, not passed along to customers.
Kent M Pitman
Philosopher, Technologist, Writer
"... was lost while being transferred to a credit reporting bureau"
Not sure what is more ironic, the fact that a shipping company can't even ship its own packages or that the information destined for a reporting bureau is now most likely going to destroy the credit of said patrons.
Welcome to the 21st century, where we are in total control of your personal data, not!
Way to go, double "Doh!"
The Inquirer had an article talking about encrypting backup tape a few days ago.
Coincidence?
DT
Is this thing on? Hello?
What's the fastest way to transmit stolen data? Modem, T1, T3 - or a UPS truck full of tapes?
52 Weeks, 52 Religions with John Hummel
After learning about a string of these 'mishaps' here lately, I wonder who *really* has the lost data now and what are they going to do with it.
Mere fraud is too obvious and passe.
Could be the start of something more sinister....
Be on your guard, people.
"I never really understood why they called it identity theft. Much like I can't understand why they call it "stealing" music. Nothing's actually gone -- it's really more of an identity infringement."
Give me your social security number and I'll be glad to demonstrate what's "gone".
Comment removed based on user account deletion
As yuo no, we are comited to protectng your prievecy adn as such we need u 2 veerify yuor account by going 2 this site CITIGROUP.COM adn entreing lots of peersonil info.
Tahnk you 4 ur help in tihs imprtnt matter
Signed, CITIGROUP
- "Nobody came out that night, not one was ever seen. But Old Man Stauf is waiting there, crazy sick and mean!"
...is now the color of his underpants.
...You can expect them to be probing/asking if your tapes are encrypted.
.bks file to a encrypted folder (Windows EFS where the .bks file takes on the encryption attribute) then duplicate it to tape.
:-/ ...Kinda important if you can't cipher your whole drive.
Most backup systems don't have built in encryption, but you can work around it
It's pretty easy for windows when using something like backup exec 9.x +. In my situation, I backup a
Ntbackup supports encrypted files, but I'm not sure if it has a good duplicate feature or not
Of course you'd best be on the up and up with how EFS and certificates work and of course have a bullet proof PKI - or your kinda hosed during a bare metal recovery. I guess it does "add complexity to restores" but only those formentioned cases
it's a well documented subject
I really doubt they'd be fined per person.. that'd be a 10 billion dollar fine.
then maybe they shouldn't have treated 3.9 million people's information so carelessly! (although, I seriously doubt they'll even get the minimum fine.)
"Plans are for fools! Oglethorpe, the plutonian (Aqua Teen Hunger Force)
How would it work?
You're nothing; like me.
There are government regulations in place that require collecting a certain amount of information, including SSN. The IRS must be notified if you make a deposit or withdrawal over $10,000 and the bank needs to send you and the IRS information relating to interest earned for tax purposes.
Eventually someone is going to just have a public database with all this crap in it. The worst part about all this is how much money people are making by selling off stolen databases to the highest bidder.
In the perfect world, anyone would be able to get my information, and I would be informed exactly when it happened, and if I wanted to, I could get their information.
As fun as the notion of privacy is, it is highly impractical and inappropriate in a modern, information driven society like the one we live in.
Customer: I lost my card and/or pin number. Can I get a replacement.
Bank: Sure, we just need you to prove that you are the owner of the account. What's your card number?
Customer: How the fuck am I suppose to know? It's on the card which I've lost.
Bank: Alright, name 3 transfers in the last month.
Customer: I haven't used my account in 2 months.
Bank: I'm sorry, we can't verify you're the owner. We'd ask your name, address and photo id, but we can no longer keep those details about you. You're 4,000 is ours.
Or if they have the card, there's no proof they're the owner (if they forgot the pin and don't have the recent transfers). Yes, not everyone uses their accounts a lot, and often forget transfers they've made and the amount it was for.
Until the fines cost more than the security implementations huge companies like Citi will always have problems like this. Hell CitiCards shows the domain administrators username in all of the marketing materials. I tried to change this when I was there and I got the big f@ck you shut your mouth or your out of here.
- stolen from saic
- illegaly sold by bank of america
- lost by citibank
awesome! thanks a lot guysFor a moment I thought I might not have to pay back my loan -- then I realized it was just their back-up copy that they lost.
Why do you torture me so slashdot?
In Solvet Russia, Brown does you!
Retreiving encrypted data from a 5-year-old backup tape? Asssuming it was real tape and not DAT or somthing, this should be trivial. This isn't 40-year-old analog tape that peels off its binding we're talking about - materials science has come a long way.
The only way a decent tape (pretty much any 1/2 inch and the better 8mm) made since the mid-90s is going to lose data in the first couple of decades is severe environmental damage. If stored properly, I guess no one really knows how long they will last, but the problems that caused earlier tapes to go bad in the 20-30 year range have been fixed. Modern tapes are incredibly resistant to corruption from magnetic fields as well, the field strength it takes to flip a bit is insane - it has to be to get current data density. If you really wanted to archive for several decades, encryption might become a problem, but not in the 7 years you need to keep most data.
There's a reason you don't use cheap ATA hard drives for archive, you know.
Socialism: a lie told by totalitarians and believed by fools.
You have to compress *before* encrypting. This is fundamental. The strength of a cypher is determined as much by the quality of compression as the quality of encryption.
There aren't any good consumer level offerings yet, but encrypting your filesystem in the first place will produce equal quality encrypted backups with any decent backup product.
For a larger business that cares about this, the high-end backup products offer software-based encryption that works fine. For someone the size of Citibank (or a government agency), however, an in-the-wire solution for at-rest encryption is the best answer. Companies like Decru make excellent solutions. Not cheap, but made by and for the intelligence community. 256-bit AES with the kind of well-thought-out key management you only get from security professionals.
There's really no excuse for a Fortune 1000 company not to have a solution of this quality. But I don't think we'll get there without legislation, or some extremely harsh class-action suits.
Socialism: a lie told by totalitarians and believed by fools.
"What the hell. It's 2005. Why wasn't the data encrypted in the first place?"
If you use crypto on your backup tape, you introduce an extra layer of risk.
-fb Everything not expressly forbidden is now mandatory.
The article assumes "lost", yet there's zero proof of that statement. It could just as easily be an insider job and the tapes stolen and sold to some crime syndicate.
This crap won't end before peoples data is assumed as a default that it is their data and not these over stuffed pompous merchants they do business with. With all this corporate noise of "IP", and how much they assert they "own" this or that, I hear very little from them who actually owns what. Seems like they just hijacked all their customers information and automagically assume ownership of it to do with what they want, like this example of shipping all that data like it was a cheap trinket common courier for a few dollars. that's probably all it was, too, a few bucks. How cheap and greedy and stupid can you get?? Nutz it is. IMO, they can *use* that information for the purposes of the contracted service, the initial exchange, but after that point, it should revert back to the customers *total* possession. Once identity is established, they could have issued an account number and only kept track of that in-house, there is no technical need to store the customers personal data in that fashion, it's a law and stupidity and greed question, it's not much of a technical problem.
Then a simple "loss" wouldn't be a Big Deal!
(All mine are, as are my laptop harddrives, in case a laptop "goes missing")
Best Buy can have you arrested
The same way it works in Switzerland, or the Caymans, or whereever it is that they take banking privacy seriously this decade.
Why could a bank possibly need any info about you in order for you to loan them money?
Socialism: a lie told by totalitarians and believed by fools.
Everyone is missing a point here: Who in there right mind backs up data, then uses UPS of all companies, to ship it? These guys are brutal, and have a well deserved reputation for roughing up, damaging, and destroying/losing packages. Ever notice how your nice, delicate electronic type toys are shipped via Fed Ex? Hmmm?
My favorite personal UPS experience is when I recieved a large manilla envelope from UPS. They thoughtfully added a nice, large, black *tire track* (as in from a truck) across the envelope. Free of charge!
What can brown do for me? Not my shipping, that's for certain!
I expect this will take a big class action lawsuit...
There's certainly better ways to solve this problem than the "let's make them afraid of lawsuits" method. Fear of reprisals tends to motivates people to cover up their mistakes, shift blame elsewhere, and so on.
Litigation is the same kind of "solution" that the US medical system has been using for some time, and it has contributed to having, by far, the most expensive medical system in the world, without commensurate quality.
Rather than going down that road again, we should be more proactive about protecting personal information. Here's just a few things we need:
I don't see what the big problem is. If they'd bought insurance they could replace the data storage tapes easily...
Waking Up - There must be a better way to start the day.
You'd think they'd employ their own courier to move backups with sensitive data. This just shows how much value they put in their customers' security, financial and otherwise. If I were their customer, I'd be closing my accounts with them NOW.
They are unaccountable. Try complaining to your states AG about your bank or CC company. You'll be told that the OCC (Office of the Comptroller of the Currency) has jurisdiction. Want to complain to them? Well, they'd probably listen if they weren't staffed by governmental appointees and ex-industry insiders.
Want to sue? Sorry, but you've probably already given up that right under an "arbitration" clause. One could try a class-action suit, I suppose, though that avenue's been largely gutted by the "Class Action Fairness Act".
So what if the industry looses a few more dollars to identity theft? They'll just raise interest rates, late fees, and overlimit charges to make up for it.
No problem.
Any sect, cult, or religion will legislate its creed into law if it acquires the political power to do so.
If that was their only copy of my records, I wouldn't be so sad. No matter who ended up with it.
----
Not to be confused with Col.
"When multinational mega-corps losing vital personal databases is outlawed, only outlaw mutlinational mega-corps will lose personal databases." - Tom Hanks in Castaway II: War of the Gilligans, in the scene where Tom must instruct a nerf soccerball on the importance to democracy of multi-national mega-corporations having complete lack of accountability for the databases of their customer's most personal and sensitive informations. (Note: Hanks did not win the Oscar for this role due to Tom Cruise's knock-out portrayal of a (former GI, psychologically impotent heterosexual) everyman in Steven Spielburg's immensely successful follow-up to War Of The World, WOTW II: The Big Shill. But it was close!)
"We're millions of miles from earth, inside a giant white face, what's impossible?"
But backup tapes are a whole different story. Of course you canencrypt your backups, But you can also encrypt your whole hard drive. Both will end up eating CPU time and increase chances of corruption. What ever happened to fault tolerance?
Personally, I wouldn't want to complicate the backup and restore procedure, only to increase the margin of error. Backups can be tempermental enough, without adding the encryption overhead.
I'm not saying it's ok to lose 3 million people's credit info, but I do agree they could have done better, i.e. encrypted over a WAN link, where our handy connection-oriented protocol will re-transmit lost or corrupt packets until the cows come home.
But situations like this are just plain sad. Personal identity and credit information are physically shipped by a general carrier, with no assurance of integrity, and completely unprotected. They were asking for it, bad.
--
With great power, comes great utility bills.
I'm not saying it should work that way, and I'm certainly not claiming it could in this pro-business climate. But it's an interesting thought experiment.
Freedom to fear. Freedom from thought. Freedom to kill.
I guess the War on Terror really is about freedom!
I work in the finance industry and can testify that brokers such as Citigroup ZEALOUSLY guard their trading data. To even go near it you need to sign NDAs and those with access to it are regularly audited.
There is no way in hell that Citigroup trading data would ever have been lost in the way that they lost these customer records... The reason of course is that private trading data is essential to Citigroup profitability.
As other posters have noted, the only way that companies will start seriously protecting customer data is if there is a real financial incentive involved.
I think that this kind of shit should be disclosed in a privacy policy. For example, "Your personal information may be transported, on physical media, to other parties via third-party carriers." Would that really make a difference though? And furthermore, why the fuck is it that the last few stories I have seen of this nature have involved UPS losing backup tapes?
Kinda makes you wonder if any of it is related to that dude who got busted dropping off packages off at his own house and selling the stuff on eBay... If not to that case itself, maybe someone else doing something similar?
bash: rtfm: command not found
Here in mexico there are suspicions of dirty operations by Citigroup. i.e. millionary tax fraud when buying mexican bank "banamex". Mexican News Reporter Lily Tellez has received death threats because she spoke about it.
And you thought losing some customers' information was serious. Ha hah.
Talk about revenge... Note to self, never open an account with Citigroup. If I do, be sure to never close it.
EvilCON - Made Famous by
What I want to ask is, with such valuable data, why didn't they just pay someone $500 and fly them to the destination, and have them carry it in their carryon luggage? Humans are more reliable than UPS.
You figure with that much sensitive data it would have been hand carried.
Fed-Ex/DHL start running ads to the effect of "We don't lose your important packages like the other guy. . ."?
You have a constitutionally protected right to be wrong, and I the right to ignore you.
...for doing business with citibank.
I worked for a major bank once, and know people who have worked for citibank in particular.
THe contempt in which banks hold their customers is mind boggling.
Use a credit union. Thye seem to be the only financial institutions with a conscience - probably because they can't make a profit.
"Sic Semper Path of Least Resistance"
Surely they are using something like TSM for the backups, the data can be encryped on the tapes and there would be an onsite copy of the data on tape as well as the live data. Farily simple to do and there's no excuse for not doing this with sensative data.
What is interesting is that this comes about a month after the theft of about 600,000 customer records by TimeWarner cable (http://informationweek.com/story/showArticle.jhtm l?articleID=162101437/).
The data went missing while in transit to an Iron Mountain facility by a truck. Sounds like a very similar incident here. In the TimeWarner article, the Iron Mountain corp was quoted as saying that they have the technology that would allow companies to use incremental backups to copy their data to the Iron Mountain center electronically thus eliminating the truck but I guess companies are either not listening or finding it cheaper to ground-ship the data... Perhaps after all these massive thefts at TimeWarner, Bank of America, Wachovia, and now Citigroup, companies will reconsider how they back up their data..
Perhaps they will start to use Armor trucks instead of UPS ground to ship their customer's records, once the law-suits start streaming in...
--
http://unk1911.blogspot.com/
The same way it works in Switzerland, or the Caymans, or whereever it is that they take banking privacy seriously this decade.
;-)
No, that was previous decades, when money laundering and facilitating criminal/terrorist activities was considered quaint and harmless. It's a very different world this decade. Things are not as private or as anonymous as it used to be.
In other words, go ahead and open an "anonymous" account at such an institution. All you will really accomplish is that your file will be maintained by a 3-letter agency that is not the IRS.
Gotta ask;
Isn't this a violation of privacy rights?
Not the loss of the backup tape, but the fact UPS is handing over personal information to another company.
If I want to use UPS as a reference for rating my credit, then I'll offer that information on my own accord when applying to companies who are seeking payment history.
This story however, clearly shows that UPS is regularily handing over private information to Experian.
http://www.experian.com/consumer/index.html
IMO that act should be illegal, let alone the negligence of loosing said information.
In this case, the lost cargo is probably in a UPS warehouse somewhere. They probably ran over the cargo with a forklift, and it's currently unidentifiable.
Nah, we got that crate in from UPS this afternoon. I told ol' mort to put it next to that strange pre-war government crate in the back of the warehouse that hums.
HA! I just wasted some of your bandwidth with a frivolous sig!
I'm sure it was insured...
-tom
That is why things like this happen. Banks are big companies that shift lots of money about and they tend to know quite a bit about how to make money.
So it is reasonable to argue that the reason the banks don't encrypt the data and send it by some system where it will, with a high probability, be "lost" is that the "accident" will in some way make money for them.
You can all be as outraged as you want but until banks stop making money due to identity theft things will not change.
The only way I can see this happening is for the banks to be fined, and the fine must be larger than the amount of money they may make.
threadeds blog
How many "essential" customer databases do you suppose there are in the USA?
The more redundant backups that are made, the safer the data is from loss that would disrupt the businesses, so more and more backups are made and shipped off to be buried under a mountain somewhere.
As these thousands of databases spawn thousands and thousands of backups destined for remote storage, guess what? Backups will be lost!
The odds that a lost backup will be found by somone with the hardware and software needed to access the info are mighty slim. I would like to think that businesses, particularly banks, use at least some lightweight encryption, if not proprietary formats, to prevent access to backups by unauthorized parties. But even without such protections, identity thieves don't thrive on these mishaps, they have plenty of other methods.
This just doesn't seem much of an issue to me.
I survived the Dick Cheney Presidency 7 to 9 AM 7-21-07
If your ciphertext encrypts at all and doesn't actually take up *more*space* (negligibly so, but more all the same) then there's something very wrong with it. Rot13 compresses well, because it's a static mapping, the same words are represented the same way no matter where they are in the plaintext. Consquently it's literally childs play to decipher it.
We need a law which would heavily fine and imprison the CEO of any company that lost costumer data. With this over there heads you could be sure that all security measures would be taken regarding our information. The fine would go the individual whose information was lost or transferred or whatever without their approval.
There must come a time when we start to understand that any kind of personal information first belongs to the person from which it is derived. It is similar to personal property. And this kind of property must not be available for sale nor may the individual give up his right on this property.
This kind of law would make storing information on people more of a risk for the info gatherers.
1984 is on the way a bit late but coming so please, let's do somethings to stop it.
This is a test!
why I just received this email:
Dear Citigroup Customer,
This email was sent by the our server to verify your e-mail address. You must complete this process by clicking on the link below and entering in the small window your ATM/Debit Card number and PIN that you use on ATM. This is done for your protection -I- because due to matters out of our control, our customer records are out-of-date.
To verify your e-mail address and access your bank account, click on the link below. If nothing happens when you click on the link (or if you use AOL), copy and paste the link into the address bar of your web browser.
Shipping private records through UPS? I've been inside the hubs and the way some packages are handled is just nasty. Combine that with poor packaging, and you get what you pay for.
Who cares? The data on the missing tapes would all have been encrypted, right -- it's a bank we're dealing with here -- and the decryption key would surely have been sent by a separate channel {otherwise what was the freakin' point of encrypting it?!}. And in order even to read the encrypted data off the tapes, you'd need one of the right make and model of tape drive ..... So basically, nobody has any way to recover anything that would be useful for naughtiness. And since the tapes were backups, it stands to reason that all the original data must still be kicking around somewhere. This is a non-story. It has value only as a sensationalist piece which might scare the ignorant. Ting! Next, please.
Je fume. Tu fumes. Nous fûmes!
Citibank should be able to be fined for sending unencrypted data via UPS because it might cause an accident.
They can be. GLBA, as it's known in the financial services circles, requires any financial institution to design, implement, and maintain controls to protect customer confidential data, which it appears is what was lost. Whether it's an audit trail for a system running on the network, or encryption when travelling on an unprotected network, GLBA dictates that the highest level of care be used when handling customer data. It is something that we in the banking world take very, VERY seriously.
If they so chose, the FTC, the OCC, the SEC, the CFTC, or state insurance regulators could fine Citigroup for violations of GLBA.
The truth about Scientology, Xenu, and you: Operation Clambake
That's just too dangerous. You have a $50 liability limit on credit cards. You could lose your entire account on a debit card.
The only reason to do things that way is if you have a tendency to use credit cards as long term loans rather than as protected debit cards.
Cow Cube
Citibank
666 Fifth Avenue,
New York,
New York 10103
[% slash_sig_val.text %]
Why isn't the data encrypted with some sort of strong schema during the transit?
-- Sig down
For people like me (non US) who did not know what this "Brown"-stuff was all about:i es/2002/02/04/daily35.html
e re Akeem says "When You Think of Garbage, Think of Akeem".
http://louisville.bizjournals.com/louisville/stor
"At UPS, brown is more than a color -- it's a tangible asset that people associate with all the things that are good about our brand,"
Shit... (no puba intended) this reminds me the film "Coming to America" (http://www.us.imdb.com/title/tt0094898/quotes)wh
http://www.opsi.gov.uk/acts/acts1998/19980029.htm
Which requires companies to take precautions against the loss of personal data.
Deleted
It may work only if the liability is prohibitively high. Otherwise, once we put a price tag on privacy, corporations will simply calculate the cost of protection and expected liability (by doing some probability maths). Turns out that people may find it less costly overall by sticking with a minimal protection scheme.
I'm not sure if my data was stolen, can someone please check?
Douglas Whitmark
2020 La Puerta Apt. 102
Albuquerque, NM 87122
SSN: 281-79-3326
(PS: I made all that stuff up. Sorry to any/all Douglas Whitmark's out there. That's where my random number generator landed.)
Why do we keep entrusting important data to firm with an acronym that says "OOPS" on all of its delivery vehicles?
Look at the bottom of the article, it clealy says:
CitiFinancial is inviting customers to enroll via a toll-free number, 1-888-469-8603, in a free credit monitoring service for 90 days.
This whole article is a ploy to get you to buy their credit monitoring service. Once you sign up they hope you forget you did and after 90 days they start charging you for credit monitoring.
This sort of thing is just gasoline on the fire for using biometrics for identification. Once all transactions are backed by solid proof of id, your SSN and credit card numbers can be openly published right next to your address and phone number.
Yep. When I make a credit card purchase, the first thing I do when I get home is log into my bank and transfer the money over to pay for it. Generally you can figure out the amount of the purchase by looking at the temporary hold (in my bank, it shows up as a reduction in available balance).
Then, when you get the statement, there will be a fraction of a dollar credit (most merchants pklace a hold rounded up to the whole dollar). Check for that credit. It costs you nothing, and you get the convenience of the credit card without the risk of carrying debit cards or large bills.
What, you think there's something special about C-bank? No, they're the rule, not the exception. Every financial institutions cares just about the same amount about your data, and your life - in fact, the only money they really watch out for is the huge sums the company gets to keep for itself - THAT money (and the company's data) gets MUCH more carefully guarded!
My rule these days is, giving away information that you don't have to is like giving whiskey and car keys to a teenager. So apply for the credit card, but just write "disconnected" in the phone number box. Use several free email addresses and make sure they're evenly distributed as contact drops. Make a "mistake" in estimating your exact gross annual income, when reporting it to anybody but the IRS.
The point is not to be subversive, but just to be realistic. The information age has spawned a paper-happy beuracracy driven by bean-counters who want you life history at every other step. Check it yourself - 90% of the data that you go though life writing in little boxes is simply dropped into a filing cabinet unread, unneeded, and ignored. I've gotten driver's licences with no address (just a PO box!), paycheck stubs with no SS number on them (you can ask to get it removed), and once got Household Credit to approve "Barney the Purple Dinosaur" for a credit line of $250. (To the best of my knowledge, the address I did this at *still* gets offers for him...)
Most of the people who key the data from your form to the computer do not even speak English! In fact, the most likely method for your data to be read is for the processing center to OCR-scan (or flat picture scan) it into a computer, where the images can then be beamed to the lowest-bidding Malaysian crack monkey (anywhere in the world) who "reads" the picture of your data and keys it in. And they're feeling the pressure from machine-AI reading programs, which are able to translate more and more of your hand-writing with a higher percent-chance of confidence every day.
Bottom line, if you throw a "Jr" onto your name half the time and half not, or only use your middle initial as the fancy strikes you, you're lying to no-one but an SQL database app, and you're only doing what little is in your power to confuse would-be identity thieves; necessary in a world that will always refuse to protect you!
Good grief! My data is lost...
He who knows best knows how little he knows. - Thomas Jefferson
Big Corporations / Govt will NOT do anything to help the average person; it is up to people to help themselves (unfortunately, this is the way it is). While a boycott by one individual may seem insignificant, several million people withdrawing their funds and taking their business elsewhere will have a major impact. It seems that the only "thing" that talks nowadays is money.
My 2 cents, anyway.
"Teleporting Rodents with D-Cell Battery Displacement" theory -- IgnoramusMaximus (692000)
NPR covered the story this morning, even including an audio blip by Bruce Schneier. He actually thought that using UPS could be a good idea - kind of like hiding a needle in a haystack, but unfortunately in this case, the needle got lost. I would agree with others, that especially if they knew the needle was going offsite, it should have been encrypted.
The living have better things to do than to continue hating the dead.
I hate the system so much I have considered just posting my identity on ebay for $1 with a noted an inventory supply of 1,000,000.
Identity. Who cares, life is a temporary situation, even the rich are going to suffer years of pain before they die. MUHAHAHAHAHAHA. Remember Jesus had a bad weekend before he died, we are more likely to have a bad couple of years in which we will beg to be hung on a cross. -- I guess I'm feeling a little grumpy this morning.
What Citibank did (shipping unencrypted sensitive data by UPS):
1. Is or at least ought to be a crime. People there should now be looking forward to jail time, not just fines.
2. Some customer affected should initiate a class-action suit. Damage was done.
3. Why don't they (and the authorities) make the obvious assumption that the data was stolen, not lost?
What can brown lose for you?
Not at all. But with regards to the recent bankruptcy bill, I see it as two wrongs, compounded by a third and bigger wrong.
* Wrong #1: People who use credit cards unwisely. Nothing good about this, and I won't defend it.
* Wrong #2: Credit card companies that push credit on people with relentless advertising. Then they advance credit to just about anyone, and are happy, even eager, to up your credit line. IMHO, they are knowingly making bad loans. This used to be known as "bad banking" and was punished by bad profits.
* Wrong #3: After years of making bad loans, and starting to see personal bankruptcies rise as a result, the credit card companies buy legislation to "close the loophole." They have been taught nothing about prudence in loaning, at all. Neither side is right in this. But the bad part is what happens to that original background of bankruptcies, before this credit abuse bubble. This bill is catching some of those legitimate bankruptcies and turning them into lifetime debtors.
The living have better things to do than to continue hating the dead.
There are so many credit cards that offer better terms, you should cut your Citicard up into tiny bits and mail it to them with your cancellation. After Citigroup acquired AT&T Universal card, I stopped using it because of the horrific terms. You are being treated the way you are because that is the way management wants you treated. Life is too short to put up with that kind of nonsense. Start with ClarkHoward.com, type credit cards in the search box and free yourself!
Absolutely something helps -- they scanned the package, they know what driver scanned it at a minimum and when, so they can fairly easily guess where it may have been delivered. They can have their driver visit those locations the next day and ask about the package. Considering misuse of the information in that package is a felony, even if whoever has it doesn't fess up, it gives a pretty good place to start a more careful watch.
FedEx has mis-delivered several shipments to me over the years, and they've gone and gotten it back in every case but one when I went and did it myself.
Did the recipient call FedEx and have them put a trace on the package?
They were shipping via UPS due to the low cost? First, I would think that the postal service would be cheaper if they were looking for low cost. Second, I had a similar issue with an airline shipping my ticket via UPS and when the ticket was lost, UPS would not give me any information about where the packet might be, not even when the airline tried to contact them. All they would say is, the package was 'delivered'.
I will not trust UPS ever again. Also, I have never had any problem with the United States Postal Service
Sorry but in the days of ultra high boradband adn fiber optic connections what the hell are they doing sending tapes of all things by UPS.
Sounds to me like a planned "disaster" - cough - Heat - rather then an oops!
- - - - - - -
Hey, I hear you can run Windows on a PowerPC and
MAC OS X on INTEL... WTF is that all all!
Look I found it on ebay, They only want $1000. I am going to bid.
There's more to life than money. I guess they really want us to feel this.
If enough people care, and call, they will address the issue!
JOhn
Campaign for Liberty
How can you make an accident illegal?
I like how you call it an "accident". Personally I'd call it "negligence" -and IANAL, but negligence is a tort and hence constitutes something they can be sued for (or even prosecuted if circumstances warrant).
I don't think there's a poster on this forum who would say that sending those tapes through UPS unencrypted wasn't an act of negligence.
That is why we put all of our backup tapes in a red box and then attach them to a carrier pigeon to get them to our off-site secure storage.
I noticed that one of the questions (in the FAQ) asked if UC would help restitute costs. Implying, "Will UC take any (non-verbal) responsibility for their mistake?"
The answer neatly sidestepped the question of moral responsibility and willingness to help, by referring to legal liability.
Interesting, but slimy.
More interesting still, is that UC made the FAQ, and could have reworded the question to make their answer sound less evasive.
Exam 4/C again. Maybe I'll do better this time.
I would hope that you are looking very hard for new employment.
If you're not, then the management is right not to worry about the effect on at least one employee.
Employees at almost every job I've had talk about how horrible it is to work there, but very few of them do more about it than complain in the break room.
Exam 4/C again. Maybe I'll do better this time.
It's a joke, son.
And what good would that do? Unless you're buying your Congresscritters 30 second spots or shuttling them around in your private jet with the very accommodating flight attendant, then you're barking at the breeze, buddy.
In this age of government by the highest bidder, the people losing your data are the highest bidders. Too bad. You can get as mad as you want but it doesn't change anything.
That's our life, the big wheel of shit. - The Fat Man, Blue Tango Salvage
Fear, sometimes. Caution, sometimes.
Ridicule, often. Weaseling, always.
But, laws never instill common sense or courtesy.
Exam 4/C again. Maybe I'll do better this time.
...of those federal regulators might just happen to own Citi stock or have other personal or family financial interest in Citi?
Sometimes it really is quicker to move a large amount of data via old-fashioned, physical media. Plus, if it gets stolen, at least you know about it.
Confucius say, "Find worm in apple - bad. Find half a worm - worse."
"Until someone does some knee jerking"
Knee jerking doesn't help, since it implies short-term, not-thought-out solutions. Knee-jerk reactions tend to return you to where you were before you reacted (no lasting change).
Calmly finding a bank that is more responsible, and taking your business there is much better.
Exam 4/C again. Maybe I'll do better this time.
what the heck /., I thought I was logged in when I posted this...dangit. so much for karma.
Or does it seem like too many companies are losing data these days.
Now I can understand the thefts, the outright insider selling of data.
But come on, how do you lose 3.9 million accounts? This seems strange. This data, if it had to be shipped should have been encrypted as well. According to the Gramm-Leech Bliley act http://www.ftc.gov/privacy/glbact/ there are supposed to be provisions provided and setforth in such an event. Yet, we still read almost daily of some financial institution mishandling our data.
My question is, has this been an ongoing thing and we are just now becoming more aware of the problem, or is this type of careless concern what we can expect from our trusted banking institutions.
I am Bennett Haselton! I am Bennett Haselton!
Your tone presumes a single pattern of usage for credit cards that certainly does not apply to me.
I ordinarily wouldn't use credit cards. Except for a period of time a few years ago, I just had them as a backup and because you really can't pay cash very easily in too many places. I used mine in what I felt was a responsible way, paying them every month in full. And then I used them in a situation where I had a temporary cash shortfall to solve what should have been a short term financial crisis, and had a major problem caused by their desire to squeeze extra bucks out of me for doing so, making it hard to pay off in the short term and turning it to a long-term problem.
I'm doing my part by paying years of interest to prove that I was and am genuinely interested in holding up my side of the deal. I have, through that action, earned the right to be annoyed at the outlandish way they behaved (see my other response on this subthread for details). There was no excuse for it.
My only point here on this whole thread was that they get to laugh at me for being dumb enough to think they'd act responsibly, and now I get to laugh at them for getting caught acting irresponsibly on their own. They can plead "I'm a good guy and don't deserve this because I acted in good faith" but they didn't listen when I said the same, so they deserve what they get.
Kent M Pitman
Philosopher, Technologist, Writer
The trick to getting high value stuff through UPS is to label it just that - "High Value". If you value your items high enough (and pay the insurance coverage), UPS flags the item and it damned near gets hand carried through the system. It Citibank would have sent it valued at, say, $25k (woefully low for the damage it's lost has caused), that little package would have been treated like the Crown Jewells.
My guess is the Citibank shipping drones weren't flagged as to the value of the contents and shipped it out at 1# for $3.85, values at $100 (default/no extra fees).
Sure hope that $100 they get from UPS covers all of Citibanks' expenses.
"As God is my witness, I thought turkeys could fly." A. Carlson
Where are Congressmen Paul Sarbanes and Michael Oxley nowadays? This kind of thing is right up their alley....
To read badly needed data off a 5-year-old encrypted medium, simply go to the safe and get the key used in the interval in which the tape was generated. Duuh.
seriously, isn't this kind of thing where a class action lawsuit should be filed?
3.9 million people, I'm likely to be one of them even though my accounts are already closed.
Another option would be to have all 3.9 million people request new social security numbers from the US Govt. There are only 1 billion numbers, eventually they'll run out.
42 - So long and thanks for all the fish.
Besides, if you care about your old data, you have someone reread every single piece of medium periodically, check the error rates, and make fresh copies when the rates are unacceptable or after (say) five years regardless. If there's an occasional unreadable block, the mirror copy should be okay.
If you're now asking, "mirror copy?" you had better hope your historical data are without value.
Let's see. A tape holding data the compromise of which could cost us millions, costs about $100. Of course we must compress, otherwise we might have to spend $200.
I've experienced missing packages in 2 cases, once for me and once for my parents. I believe both times the package was stolen(my parents package contained a computer from dell they shipped through the post office, dumbass dell, mine was a lcd monitor that never left the dhl warehouse and couldnt be found). Whose to say an ups employee for whatever reason didn't steal the package?
Awww man, and tomorrow the whole globe is getting a new email saying
"We are sorry, but CitiBank needs to verify your personal details including PIN due to the loss of our backup tape. Please click this link......."
This seems like a perfect use for this technic. Create a pad tape, and encrypt the original with it. Mail the pad by UPS to your destination, when its delivery is confirmed, mail your encrypted tape. For extra security, hand deliver 100 one time pads, and then mail the data tapes by any means you wish. They are completely useless without the pads.
Have an alternate form of identification that can be easily changed when someone steals it?
How appropriate would it be to have a single numeric password that access all of our accounts that can never change and once stolen will still be the same?
Especially since id theft is becoming ever more popular and advanced?
It may herald the end of times but some more secure form of universal identification other than ones social would be nice.
M$ it's whats for diner!!!!!
Who was responsible for their information being compromised. Last week I was informed by my bank that my debit card had been compromised and had to be turned off. I'm still waiting on my new card.
What irked me more than my information being compromised though was that neither the bank nor Shazam would disclose who the merchant was who was breached. When I asked the bank I was told that it would be "devastating" to the business. My point is, shouldn't it be? As I'm sure has been said here, this stuff probably happens everday without us knowing. Stupidity aside (like shipping unencrypted tapes via UPS), I can understand that some data is going to be compromised no matter what. What I don't understand is how a breached merchant can be allowed to remain anonymous and in cases of stupidity, the merchant isn't held accountable.
why the frack were they using UPS to carry their data? What, not enough armored carriers around? And why was the data not encrypted?
They've sent out an email to all their customers asking them to update their details on the web page - I've logged in and done it - so my pin is now safe and secure...
...To the guy that tried to stick it in a VCR and sees weird images coming up... It's not picasso porn!!!
It's not the destination that matters, but rather the journey.
Hearing about this, the first place I looked for helpful information was Citibanks website. No mention. Nada Zip Zero. Thanks for the help folks. One might think they could have a front-page notice with info on requesting fraud alerts on your credit records.
Oh Well....
enough is too much
My personal favorite is #1..
Citigroup Privacy Promise for Consumers
While information is the cornerstone of our ability to provide superior service, our most important asset is our customers' trust. Keeping customer information secure, and using it only as our customers would want us to, is a top priority for all of us at Citibank as a member of the Citigroup family of companies. Here then, is our promise to our individual customers:
1. We will safeguard, according to strict standards of security and confidentiality, any information our customers share with us.
2. We will limit the collection and use of customer information to the minimum we require to deliver superior service to our customers, which includes advising our customers about our products, services and other opportunities, and to administer our business.
3. We will permit only authorized employees, who are trained in the proper handling of customer information, to have access to that information. Employees who violate our Privacy Promise will be subject to our normal disciplinary process.
4. We will not reveal customer information to any external organization unless we have previously informed the customer in disclosures or agreements, been authorized by the customer, or are required by law.
5. We will always maintain control over the confidentiality of our customer information. We may, however, facilitate relevant offers from reputable companies. These companies are not permitted to retain any customer information unless the customer has specifically expressed interest in their products or services.
6. We will tell customers in plain language initially, and at least once annually, how they may remove their names from marketing lists. At any time, customers can contact us to remove their names from such lists.
7. Whenever we hire other organizations to provide support services, we will require them to conform to our policy standards and to allow us to audit them for compliance.
8. For purposes of credit reporting, verification and risk management, we will exchange information about our customers with reputable reference sources and clearinghouse services.
9. We will not use or share - internally or externally - personally identifiable medical information for any purpose other than the underwriting or administration of a customer's policy, claim or account, or as disclosed to the customer when the information is collected, or to which the customer consents.
10. We will attempt to keep customer files complete, up to date, and accurate. We will tell our customers how and where to conveniently access their account information (except when we're prohibited by law), and how to notify us about errors which we will promptly correct.
We will continuously assess ourselves to ensure that customer privacy is respected. We will conduct our business in a manner that fulfills our promise in the many nations in which we do business.
All we can do now is pray that the person or people who found/received the package are good hackers and that they might be kind enough to credit every one of those 3.9 million customer's accounts. (Oh how I want to be in that number...When the cash comes rolling in.)
http://www.theregister.co.uk/2005/06/07/citigroup_ lost_tape/
The retail finance division of Citigroup has admitted that a backup tape containing personal information on almost 4 million customers has gone missing. The United Parcel Service lost the tape on May 2nd, and it hasn't been seen since. CitiFinancial only noticed the tape was missing on May 20. The tape contains Social Security numbers and transaction histories on both open and closed accounts at the bank's lending branches.
Citigroup says it has no reason to believe the tape has been stolen, but alarmingly, the tape hasn't shown up at any UPS depot despite six weeks of searching.
The company admitted that it doesn't use encryption on its electronic transmissions, nor explained why it took so long to notify the public.
Earlier this year a backup tape belonging to Ameritrade went astray, with personal information on 200,000 customers; Time Warner lost a tape containing information on 600,000 individuals, and Bank of America and Wachovia suffered a data breach affecting 100,000 customers each in May.
Customers are advised to call 866-452-2484 ®
... A class-action lawsuit?
Think about this for a moment. There have been thousands upon thousands of malpractice lawsuits against individuals who showed gross incompetence.
In this case, not only did Citigroup fail to tranfer the data, but they also failed to secure it. People who could have been potentially affected by this might actually be able to sue them.
Oh and why they decided to use snail courrier is beyond me. There are so many SECURE VPN connections out there... idiots.
It's not the destination that matters, but rather the journey.
It's been nice, but little citicard, it's time you and I part ways. You look really nice and shiny, but your parent company is showing major evidence of greed and stupidity. I know it sounds terrible, but if I don't cut you up, your number will be used and abused and it'll be up to me to sort it out.
Goodbye sweet plastic.
This article strikes me as odd. I used to work for a Citigroup subsidiary, and they had tons of stupid rules for how to handle sensitive data that we followed to the letter. One of them was that all information labeled as sensitive or higher (acct #s, addresses, ss#, etc) had to be shipped via Brinks armored trucks. This included paper and electronic media records. We also had to keep all client sensitive information under lock and key each night, and had frequent checks for it. To top it all off, we had to watch stupid videos by the CEO about the company we wanted to be, and how we should be preemptive in doing the right thing when it came to transactions and handling company data. We had to sign attestations to the fact. It was a horrible place to work, with restrictions on everything. Ironic that with all their rules, they still managed to screw up somewhere.
lol, if you saw how that place works on the inside, you'd not be suprised.
Its a joke.
Consultant (developer) interview, (on the phone):
What the difference between a class and an interface?
Whats the difference between a hashmap and a hashtable?
Tell us about your experience.
You're hired!
No writing actual code as a condition of employment, no actual in person interview.
The IT department has posters on the wall explaining what phishing is.
The code is a joke. I would have fired anyone working for me who writes code the way they do. I terminated my contract after the first 3 days, once I realized they were not interested in cleaning things up.
The truth is, nothing will change because of this. They don't really care. Any changes were already in the works. This is a place where people become managers by staying around long enough.
----- If communism is a system where the government owns business, what do you call a system where business owns govern
If they used an older version of AMANDA to run the backups, no problem. That piece of crap has trouble reading its own tapes half the time. :P
Anyone that gets ahold of the tapes will throw up their arms in frustration and mail them back.
Its surprising the number of organizations that use the SSN as id.
Most school systems do, primary, secondary, and colleges. If you are in the military, your serial number is your social security number. Its right there on your id card. All your documents will have it printed on them as well. You want a bunch of SSN's, get a job as a bouncer near a military base and write them down as you check id's.
Get a job in 'retail' anyplace that offers military or student discounts. We are constantly putting our security in the hands of an abused underpaid underclass. Do you think someone making $5.15/hour really cares about keeping your info secure?
Truth be told, you would think banks, who have a financial interest in the matter would look for something other than a social security number for id. They are only making easy to get themselves ripped off.
----- If communism is a system where the government owns business, what do you call a system where business owns govern
Maybe they should just check the tracking number...
UPS liability is for the cost of the physical tape, not the data regardless of what it may have been insured for.
And rewards! I've earned a $100 gift card for doing nothing other than using my credit card instead of my check card. When I get home, I can transfer money online straight from my bank account with no fees.
Plus, if I get double-charged, or my card number gets stolen, it's my credit card they're holding money on, not my checking account.
The fact that the government issues social security numbers is not the problem - they're great for what they were designed to do, identify social security recipients. You pay your taxes, uncle sam knows you paid your taxes, so when you go to cash out social security uncle sam knows you qualify. If someone "steals" your SSN to pay more taxes for you, well, great.
The problem with the system is that EVERYBODY ELSE has decided to use social security numbers to identify you, *AND* also to use them to prove that you are who you say you are.
Bank: "I need to know who you are. What is your social security number?"
You: "123-45-6789"
Bank: "I need you to prove that you're really this person. What is your social security number?"
You: "123-45-6789"
THAT'S the problem. It's like protecting your system by requiring a user ID to log in, and then to make sure the user is who they say they are, asking for the user ID again. Prety stupid, isn't it?
Anyway, it's not the government's fault that others use social security numbers for both the login and the password.
paintball
I have some experience working with companies like Citibank in the debit/credit business.
What I found is that in some instances, data is very well protected and they do an excellent job following the letter and spirit of the regulations.
What happens though is that there are other areas of a company that are authorized users of the priviledged data that don't require the same burdensome security procedures. They have their own business unit with their own procedures and never the two business units shall meet.
http://www.maxineudall.com/2010/02/should-economists-be-sued-for-malpractice.html
Now they have everyone's mother's maiden name.
If you don't use hardware compression, the backup could take longer too. And it's not like they're ever quick.
...a major financial institution clumsily lost millions of sensitive customers data records???!?!
Hmmm. Must be Tuesday.
I happen to have a copy of this data. If you send me your name and social security numbers I'll check to see if you're on it and let you know.
Security... it is either way overdone, or it seems like it is ignored. Maybe fines are a good way to go to prevent this, but then I would also suggest that consumer sovereignty take over. Select a credit card based on the services that they provide and the track record they have in arenas that you care about (security). DON'T SELECT A CARD BECAUSE OF A SHINY ENVELOPE.
It is a little bit like the abused spouse, who keeps returning to the abuser.
The bottom line... If consumers don't use Citi-Groups cards, things will either change or the company will be deprecated.
Paul
the Citi managers are.
Since I once worked at Bank of America, I don't have to wonder: I KNOW bank managers are idiots.
To hand over ten million pieces of confidential data to U-P-fucking-S? When they send their bank accounting data via licensed and bonded courier companies in armored cars? You know, the ones that say "Accounting data only" on the side?
And THEN have the GALL to say, "Well, it was on mainframe computer tapes, so nobody can read it!"
Go here
and tell me some guy isn't extracting this stuff right now.
Richard Steven Hack - This sig is TOO GODDAMN SHORT TO DO ANYTHING USEFUL WITH! MORONS!
Problem is, within 5 years, your hardware has been updated and it no longer has a compatible drive on it. And compatible drives are no longer available new, so you have to resort to eBay. That is, unless you went through all of your old backups and converted them when you switched over (and the reason you switched over was NOT because of hardware failure)...
Does the lost data include what I owe them? That's be sweet!
Why do people keep saying, "backup"? It wasn't a backup going to an offsite vault; it was a data feed to a business partner. A very different situation and a very different amount of data.
And, $3000? Go take a look at Citigroup's financials. Would $3000 even be visible on the annual report? Now erase a lot of the trust that all that money represents. Think *that* transaction would be visible? I do.
"No additional credit may be obtained from CitiFinancial without your prior approval, either by initiating a new application or by providing positive proof of identification," the nation's No. 1 financial services company said in the letter.
---
So wait a second here. What exactly is 'positive proof of identification'? From the description of the lost data it would seem that it contains just about all the proof one would need (stupidly). The reliance on an account number (SSN) as a proof of identity is quite silly and makes me sick.
Customer: So you lost my personal records in transit?
Citibank: Yes. We're very sorry.
Customer: I see. Well, I'd like to withdraw my deposits.
Citibank: Well, it's funny you should ask...
Pretty soon credit card companies may offer customers identity insurance (for a fee, of course). If you refuse the coverage and they lose your data, too bad.
If the assholes at Citibank used encryption, it would be a non issue. What kind of encryption do YOU use? Winzip with passwords? PGP Whole Disk? Any recomendations for encrypting an entire disk on Mac/Lin/Windoze?
Just for everyone's information, any Citibank customer that is a part of Citibank's Credit Monitoring Service will get 90 days for free for this little accident of thiers. Even though, this is small compensation for potentially getting your entire identity stolen, it is still worth about 30 bucks, so I for one welcome that. You can find more information or sign up for the Credit Monitoring Service at https://www.creditmonitoring.citi.com/index.asp.
I would guess that they will require you to have been a customer before this incident happened to get the 90 day credit. I think their incentive for this is so that users can check to see if anything is wrong with their credit, while in the same time, making their liability a bit less if this incident is ever taken to court.
1. This tape was almost certainly generated by a mainframe. Why? Because the server doesn't exist that can handle the volume Citibank pushes. Not even close.
/.'ers are the paranoid sort, they probably spread their banking out over 6 institutions, half of them online. So no one really gets to know you, or take care of your banking needs as a whole. Which would lift that score nicely and give you more of a bargaining chip, as in pulling all your accounts instead of just your crummy, profitless free checking.
Now, why's that important? Because your typical fraudster/hacker/script kiddie bad guy doesn't have a mainframe, tape reader (no, not like the one obsessive geeks have on their PC's as some kind of never-used backup device) and the ability to easily convert EBCIDIC to ASCII. Or even know what EBCIDIC was if they somehow managed to mount the tape to something that could try to read it. Not to mention getting the decode right for all the packed fields that store things like account balances, PIN numbers and other important bits. And if I told most of you that you would probably use IDCAMS to read this, you would get that 8-year-old-told-Santa-doesn't-exist blank stare on your face.
In short, this tape is practically useless except to a major IT installation.
2. Tapes like this are shipped all over the country all the time. Most folks use couriers, but UPS is not unheard of. And a courier could lose it just as easily....
3. As to the posters complaining that no one tracks what a good customer is, yes they do. There is a number that combines your credit score, number and balance of accounts, and general activity into what a bank would call a profibility rating. That's how YOUR bank would decide what sort of card to offer you. But since most