Slashdot Mirror
3.9 Million Citigroup Customers' Data Lost
Rick Zeman writes "CNN.com is reporting that United Parcel Service has lost backup tapes containing the identies of 3.9 million Citigroup customers. According to UPS, '... a "small package" containing data storage tapes was lost while being transferred to a credit reporting bureau.' According to Citigroup, they 'included Social Security numbers, names, account history and loan information about retail customers, and former customers, in the United States.'"
"oops"
A week hasn't gone by this year that some major data warehouse hasn't been "broken into". When are these people going to start taking our privacy and their security a little more seriously...
"A truly wise man realizes he knows nothing."
3,9 million more recipients for "refinance NOW" spams...
These companies are treating this information far too trivially. Laws need to be passed that will make this type of carelessness illegal and/or compensate these customers for losing their info. I think the lack of trust from customers would be incentive enough, but obviously it isn't, so more needs to be done to prevent these fiascos. And on another note, why aren't more consumers, in this day of rampant identity theft, completely outraged by these events. What is this the fourth incident in the past few months (and I'm probably lowballing the number)? This is simply unacceptable.
"Plans are for fools! Oglethorpe, the plutonian (Aqua Teen Hunger Force)
UPS: What can BROWN lose for you?
You can hold down the "B" button for continuous firing.
Customer: Hi sir, I have my paper statement here which claims I had $1,000,234.01 in my account a month ago. Please bring my account back.
Employee: Ummm, let me verify that with my datab... I mean.... let me get my manager.
Customer: No problem. Take your time. Would you like some free coffee. It's on me.
What can Brown do for You?
"Kittens give Morbo gas!"
If we create legistlation that makes losing customer's personal information a criminal offense, then maybe these giant megalomerates will stop collecting (and abusing) it.
just because you didnt hear about things like this in the past doesnt mean they didnt happen.
http://www.rayn.net . Funny. Stuff.
seems the brown has hit the fan
I used to work for UPS customer service. I'd say at least .1% of all packages either get damaged or lost during shipping. Shipping packages of low value is no big deal, your losses over time will be minimal. Shipping packages of high value, however, will result in considerably larger losses over time.
DO NOT SHIP YOUR HIGH VALUE GOODS VIA UPS/FEDEX/DHL/ETC. I cannot stress that enough. Hire a private courier. Hire someone in your company. Drive it yourself. Find someone with better than a 99.9% success rate if your package is worth millions.
I never really understood why they called it identity theft. Much like I can't understand why they call it "stealing" music. Nothing's actually gone -- it's really more of an identity infringement.
Try not. Do or do not, there is no try.
-- Dr. Spock, stardate 2822-3.
The only way to solve this is to attach a cost to personal data. As soon as you do this, companies will instead of trying to collect as much data as they can, treat it (rightly) as something they should collect as little as possible. Lost data should have a cost to it which sends shudders down the spine of Chief Financial Officers.
I expect this will take a big class action lawsuit, but if I were a company of any size which handled confidential client data, I would be scrambling for a way to reduce my liability.
I'm not wrong. You haven't thought about it hard enough.
There is no reason why this data needs to be shipped together. Citigroup should keep social security numbers serparate from names, separate from account history, separate from address, etc. All this can be assembled when needed and it would make it much harder to steal useful data or for a criminal to make use of any lost tapes.
The global economy is a great thing until you feel it locally.
In the Google ads in the sidebar next to this story they have a listing for "Jobs at UPS". Extremely fitting for this situation as there has to be a few employment spots opening up at 'brown' after this incident.
"Plans are for fools! Oglethorpe, the plutonian (Aqua Teen Hunger Force)
As this is just another in a long string of weekly "your vital data stolen" stories, I'm starting to wonder: have big companies always been this fucking careless, and it's only due to SOX et al. that we're learning about it now? I'm not even sure which I'd prefer.
Media that can be recorded and distributed can be recorded and distributed.
-kfg
You have to be kidding me. UPS? To transfer secure information? Where I work, we receive a backup tape from a production system that we load that contains sensitive data. That tape is sent back to my group via Iron Mountain (and we send the old tape back the same way). And this isn't even stuff as high profile as like what's Citigroup apparently lost. When services exist like this to facilitate occasional, VERY important shipments, there's just no excuse using UPS or Fedex. I fear for the free market if this is "business as usual" for it.
These are the people that would pay through the nose for armoured car to truck their cash around, but would send huge amount of customer information through UPS.
ELOI, ELOI, LAMA SABACHTHANI!?
don't they even care for encrypting data in removable media?
that's so lame!
will be taking their business elsewhere
i am moving from BofA after their mishap.
Somewhere smaller, hopefully more secure.
Hit them where it hurts!!!!
I guess not, otherwise this would be a nonissue. It is unbelievable that in this day and age a company the size of Citigroup would ship unencrypted tapes. Geez, it is trivial to do and a no-brainer. Really, whoever is in charge of IT security policy there is an idiot and should be fired immediately and any security credentials (like CISSP) stripped so he/she can't pull another fast one on some other company. This is the height of absurdity and irresponsibility.
CitiGroup no doubt spends millions each year on network encryption for data transmitted across WANs. I wonder if the data on these tapes was encrypted? Since they're "backups", I doubt it. Sure, UPS screwed up the sensitive task entrusted to their expert professionals. But CitiGroup took an unacceptable, unnecessary risk by allowing the task to be so sensitive. They should all have to indemnify every exposed CitiGroup customer from identity crimes in perpetuity, including the time the customers spend managing this exposure.
--
make install -not war
There is definitely something wrong with this system! I'm all for doing without consumer credit, but it's simply not feasible.
Perhaps we need a public-key style scheme where we generate a unique private key that we use to encrypt things like credit card applications, and then the public key is on file with the government and credit card companies and the like. That way only we have access to important private information, but the credit reporting agencies and the government can still keep track of us the way they do currently.
This would beat the hell out of biometrics and nonsense like that (you can't bloody send someone a retina scan over the internet or through the mail!), and it would do something to improve our privacy by preventing people from faking your identity.
Find Results With
The exact phrase high security
Search for "high security" found 0 matches.
I bet we're going to get bitched at tonight to scan all our packages! I load the semi trucks that haul grond packages across the country and don't think any foul play is involved. There are quite a few things that could have happened to it. It might have even ended up in another customer's package if it's very small. We should have been able to find it, though. It's pretty damn difficult for a package to get lost for more than a couple days in our facilities.
Isn't this the second time (or more, most likely) that a set of shipped customer has been "lost?"
It's quite possible that the scum of the universe that feeds on harvested identities has gotten sophisticated enough that they are now able to identify such in-transit packages and have them go missing.
Bottom line -- companies should not be shipping this type of information via common carriers.
Having myself been lectured (and inappropriately, by the way) by Citibank employees about how it's my own fault my credit card interest rates went up (it wasn't, by the way), I hope at minimum that someone sits down the entire senior staff of this company and lectures them like they were children for many hours, making them feel as embarrassed and disrespected as they routinely do to their customers.
And then, just to make the point, they should have to pay not just whatever court-assessed penalties, but that amount plus 24.99% retroactively applied to the entire amount backdated from the time they finally pay all the way back to the time of the incident, just like they're always raising people's interest rates to unreasonable amounts like that even retroactively on purchases already made, and to ensure that they pay in a timely way.
And it goes without saying that reparations should be paid personally by the people who run the company, not passed along to customers.
Kent M Pitman
Philosopher, Technologist, Writer
As yuo no, we are comited to protectng your prievecy adn as such we need u 2 veerify yuor account by going 2 this site CITIGROUP.COM adn entreing lots of peersonil info.
Tahnk you 4 ur help in tihs imprtnt matter
Signed, CITIGROUP
- "Nobody came out that night, not one was ever seen. But Old Man Stauf is waiting there, crazy sick and mean!"
There are government regulations in place that require collecting a certain amount of information, including SSN. The IRS must be notified if you make a deposit or withdrawal over $10,000 and the bank needs to send you and the IRS information relating to interest earned for tax purposes.
Until the fines cost more than the security implementations huge companies like Citi will always have problems like this. Hell CitiCards shows the domain administrators username in all of the marketing materials. I tried to change this when I was there and I got the big f@ck you shut your mouth or your out of here.
- stolen from saic
- illegaly sold by bank of america
- lost by citibank
awesome! thanks a lot guysI expect this will take a big class action lawsuit...
There's certainly better ways to solve this problem than the "let's make them afraid of lawsuits" method. Fear of reprisals tends to motivates people to cover up their mistakes, shift blame elsewhere, and so on.
Litigation is the same kind of "solution" that the US medical system has been using for some time, and it has contributed to having, by far, the most expensive medical system in the world, without commensurate quality.
Rather than going down that road again, we should be more proactive about protecting personal information. Here's just a few things we need:
I don't see what the big problem is. If they'd bought insurance they could replace the data storage tapes easily...
Waking Up - There must be a better way to start the day.
They are unaccountable. Try complaining to your states AG about your bank or CC company. You'll be told that the OCC (Office of the Comptroller of the Currency) has jurisdiction. Want to complain to them? Well, they'd probably listen if they weren't staffed by governmental appointees and ex-industry insiders.
Want to sue? Sorry, but you've probably already given up that right under an "arbitration" clause. One could try a class-action suit, I suppose, though that avenue's been largely gutted by the "Class Action Fairness Act".
So what if the industry looses a few more dollars to identity theft? They'll just raise interest rates, late fees, and overlimit charges to make up for it.
No problem.
Any sect, cult, or religion will legislate its creed into law if it acquires the political power to do so.
Here in mexico there are suspicions of dirty operations by Citigroup. i.e. millionary tax fraud when buying mexican bank "banamex". Mexican News Reporter Lily Tellez has received death threats because she spoke about it.
And you thought losing some customers' information was serious. Ha hah.
I'm sure it was insured...
-tom
We need a law which would heavily fine and imprison the CEO of any company that lost costumer data. With this over there heads you could be sure that all security measures would be taken regarding our information. The fine would go the individual whose information was lost or transferred or whatever without their approval.
There must come a time when we start to understand that any kind of personal information first belongs to the person from which it is derived. It is similar to personal property. And this kind of property must not be available for sale nor may the individual give up his right on this property.
This kind of law would make storing information on people more of a risk for the info gatherers.
1984 is on the way a bit late but coming so please, let's do somethings to stop it.
This is a test!
Citibank should be able to be fined for sending unencrypted data via UPS because it might cause an accident.
They can be. GLBA, as it's known in the financial services circles, requires any financial institution to design, implement, and maintain controls to protect customer confidential data, which it appears is what was lost. Whether it's an audit trail for a system running on the network, or encryption when travelling on an unprotected network, GLBA dictates that the highest level of care be used when handling customer data. It is something that we in the banking world take very, VERY seriously.
If they so chose, the FTC, the OCC, the SEC, the CFTC, or state insurance regulators could fine Citigroup for violations of GLBA.
The truth about Scientology, Xenu, and you: Operation Clambake
This sort of thing is just gasoline on the fire for using biometrics for identification. Once all transactions are backed by solid proof of id, your SSN and credit card numbers can be openly published right next to your address and phone number.
What, you think there's something special about C-bank? No, they're the rule, not the exception. Every financial institutions cares just about the same amount about your data, and your life - in fact, the only money they really watch out for is the huge sums the company gets to keep for itself - THAT money (and the company's data) gets MUCH more carefully guarded!
My rule these days is, giving away information that you don't have to is like giving whiskey and car keys to a teenager. So apply for the credit card, but just write "disconnected" in the phone number box. Use several free email addresses and make sure they're evenly distributed as contact drops. Make a "mistake" in estimating your exact gross annual income, when reporting it to anybody but the IRS.
The point is not to be subversive, but just to be realistic. The information age has spawned a paper-happy beuracracy driven by bean-counters who want you life history at every other step. Check it yourself - 90% of the data that you go though life writing in little boxes is simply dropped into a filing cabinet unread, unneeded, and ignored. I've gotten driver's licences with no address (just a PO box!), paycheck stubs with no SS number on them (you can ask to get it removed), and once got Household Credit to approve "Barney the Purple Dinosaur" for a credit line of $250. (To the best of my knowledge, the address I did this at *still* gets offers for him...)
Most of the people who key the data from your form to the computer do not even speak English! In fact, the most likely method for your data to be read is for the processing center to OCR-scan (or flat picture scan) it into a computer, where the images can then be beamed to the lowest-bidding Malaysian crack monkey (anywhere in the world) who "reads" the picture of your data and keys it in. And they're feeling the pressure from machine-AI reading programs, which are able to translate more and more of your hand-writing with a higher percent-chance of confidence every day.
Bottom line, if you throw a "Jr" onto your name half the time and half not, or only use your middle initial as the fancy strikes you, you're lying to no-one but an SQL database app, and you're only doing what little is in your power to confuse would-be identity thieves; necessary in a world that will always refuse to protect you!
What Citibank did (shipping unencrypted sensitive data by UPS):
1. Is or at least ought to be a crime. People there should now be looking forward to jail time, not just fines.
2. Some customer affected should initiate a class-action suit. Damage was done.
3. Why don't they (and the authorities) make the obvious assumption that the data was stolen, not lost?
Not at all. But with regards to the recent bankruptcy bill, I see it as two wrongs, compounded by a third and bigger wrong.
* Wrong #1: People who use credit cards unwisely. Nothing good about this, and I won't defend it.
* Wrong #2: Credit card companies that push credit on people with relentless advertising. Then they advance credit to just about anyone, and are happy, even eager, to up your credit line. IMHO, they are knowingly making bad loans. This used to be known as "bad banking" and was punished by bad profits.
* Wrong #3: After years of making bad loans, and starting to see personal bankruptcies rise as a result, the credit card companies buy legislation to "close the loophole." They have been taught nothing about prudence in loaning, at all. Neither side is right in this. But the bad part is what happens to that original background of bankruptcies, before this credit abuse bubble. This bill is catching some of those legitimate bankruptcies and turning them into lifetime debtors.
The living have better things to do than to continue hating the dead.
There are so many credit cards that offer better terms, you should cut your Citicard up into tiny bits and mail it to them with your cancellation. After Citigroup acquired AT&T Universal card, I stopped using it because of the horrific terms. You are being treated the way you are because that is the way management wants you treated. Life is too short to put up with that kind of nonsense. Start with ClarkHoward.com, type credit cards in the search box and free yourself!
And what good would that do? Unless you're buying your Congresscritters 30 second spots or shuttling them around in your private jet with the very accommodating flight attendant, then you're barking at the breeze, buddy.
In this age of government by the highest bidder, the people losing your data are the highest bidders. Too bad. You can get as mad as you want but it doesn't change anything.
That's our life, the big wheel of shit. - The Fat Man, Blue Tango Salvage
The trick to getting high value stuff through UPS is to label it just that - "High Value". If you value your items high enough (and pay the insurance coverage), UPS flags the item and it damned near gets hand carried through the system. It Citibank would have sent it valued at, say, $25k (woefully low for the damage it's lost has caused), that little package would have been treated like the Crown Jewells.
My guess is the Citibank shipping drones weren't flagged as to the value of the contents and shipped it out at 1# for $3.85, values at $100 (default/no extra fees).
Sure hope that $100 they get from UPS covers all of Citibanks' expenses.
"As God is my witness, I thought turkeys could fly." A. Carlson