3.9 Million Citigroup Customers' Data Lost

Rick Zeman writes "CNN.com is reporting that United Parcel Service has lost backup tapes containing the identies of 3.9 million Citigroup customers. According to UPS, '... a "small package" containing data storage tapes was lost while being transferred to a credit reporting bureau.' According to Citigroup, they 'included Social Security numbers, names, account history and loan information about retail customers, and former customers, in the United States.'"

And what did the UPS guy say?

[Kaisum]

"oops"

Re:And what did the UPS guy say?

quote.."Beginning in July, this data will be sent electronically in encrypted form,""

You wouldnt believe the amount of software and infastructue is current being expended to meet this deadline. I'm working on it now, Sounds easy doesnt it? Its not.

Re:And what did the UPS guy say?

[Skater]

Then when that gets cracked there'll be 500+ messages on /. about how stupid they were for doing something so simple and how they should be protecting our data better than that.

Re:And what did the UPS guy say?

[hjf]

And if they used proprietary encription by something like Cisco, 3Com or some IBM storage solution, and that got cracked, then /. would be filled with 500 messages about how they didn't use an open source solution.

Oh and if they used an open source solution and that got cracked, the fault would also be theirs, and they would also get 500 messages on how they used an older (or newer!) release, or because they didn't use an obscure "x" patch which you can find in "y" page, hosted in some east european country and in a language used only in that country... etc.

How often does this happen now?

[ZephyrXero]

A week hasn't gone by this year that some major data warehouse hasn't been "broken into". When are these people going to start taking our privacy and their security a little more seriously...

Re:How often does this happen now?

[wft_rtfa]

Actually all this hacking and losing of data has been happening for quite some time. We are just now hearing about it more because California passed a law requiring people to be notified of data loss.

In this case, the lost cargo is probably in a UPS warehouse somewhere. They probably ran over the cargo with a forklift, and it's currently unidentifiable.

See http://www.perkinscoie.com/content/ren/updates/eco mm/062703.htm for more info on the CA law.

Unacceptable

[Adrilla]

These companies are treating this information far too trivially. Laws need to be passed that will make this type of carelessness illegal and/or compensate these customers for losing their info. I think the lack of trust from customers would be incentive enough, but obviously it isn't, so more needs to be done to prevent these fiascos. And on another note, why aren't more consumers, in this day of rampant identity theft, completely outraged by these events. What is this the fourth incident in the past few months (and I'm probably lowballing the number)? This is simply unacceptable.

Re:Unacceptable

[britneys+9th+husband]

How can you make an accident illegal ?

You can't, but you can make the things that tend to lead to accidents illegal. You'll notice there's no law against getting into a car crash, but there are lots of laws about driving too fast, running red lights, driving drunk, unsafe lane changes, etc etcet c.

Same idea here. If I can be fined for driving 100mph because it might cause an accident, Citibank should be able to be fined for sending unencrypted data via UPS because it might cause an accident.

Re:Unacceptable

[ScoLgo]

Which company do you hold responsible here? Citigroup Financial? Or UPS? While UPS is guilty of losing the package in transit, perhaps CF should have used a more secure transport method. I dunno, what is more secure than UPS, Fed Ex, DHL, etc...? Armored car driving to and fro between cities?

So what is your solution? (Hint: YMFL, (Yet More Federal Legislation), will not prevent accidental loss of freight packages).

BTW - I write this as someone who has a mortgage with Citigroup so my data could be at risk here. However, my knee is not jerking violently, (yet).

Re:Unacceptable

[d474]

"This is simply unacceptable."

Not to those with a tyrannical agenda. Call me a conspiracy theorist, but I'm pretty sure corporations have been having these kinds of "incidents" so our represetatives had an excuse to pass and now move forward with the Real ID Act. It passed 100 FOR, 0 AGAINST, despite widespread opposition.

So you want to pass a law that is unpopular?

Problem.
Reaction.
Solution.
It's called Diocletian's Problem.

They changed their slogan:

[game+kid]

UPS: What can BROWN lose for you?

Gives new meaning to their slogan

[gooman]

What can Brown do for You?

Support legislation for criminalization of this

[Bamfarooni]

If we create legistlation that makes losing customer's personal information a criminal offense, then maybe these giant megalomerates will stop collecting (and abusing) it.

remember folks

[Anonymouse+Cownerd]

just because you didnt hear about things like this in the past doesnt mean they didnt happen.

is it hot in here?

[qda]

seems the brown has hit the fan

Sensitive Data via UPS?

[Lithium_Golem]

I used to work for UPS customer service. I'd say at least .1% of all packages either get damaged or lost during shipping. Shipping packages of low value is no big deal, your losses over time will be minimal. Shipping packages of high value, however, will result in considerably larger losses over time. DO NOT SHIP YOUR HIGH VALUE GOODS VIA UPS/FEDEX/DHL/ETC. I cannot stress that enough. Hire a private courier. Hire someone in your company. Drive it yourself. Find someone with better than a 99.9% success rate if your package is worth millions.

Re:Sensitive Data via UPS?

You are so full of crap you damn UPS apologist.

> .1% of all packages either get damaged or lost during shipping

You obviously have zero experience in the shipping field despite your claim to have worked for UPS. It isn't uncommon at times to have 100 times that percentage of packages lost or damanged by us. We are a union shop so the lazy thugs we have can get away with anything. For example at the terminal where I work, a local jewelry store went out of business and shipped-out about four dozen nice watches to a broker. Now almost every employee at this terminal has a nice brand-new watch. Another example, Kel-Tec CNC released a new pistol a couple of years ago. One of the drivers here picked-up the first few batches of pistols from them. Not a one of them made it to the FFL's who ordered them. The BATF couldn't even get UPS to take action against the union.

In both cases UPS couldn't fire a single person. Our union allows us to damage or steal as much as we want to. Your 0.1% number is complete crap. If you're shipping something worthless, broken, or bulky that's not worth the time for a union member to steal, you might only have that small of a loss. Otherwise, my coworkers can and will steal. And good luck colleting from UPS. We pay-out on less than 2% of the packages that are damaged and on less than 5% of the packages lost.

Skinner

Re:Sensitive Data via UPS?

[d474]

Everyone knows that when you have valuable data to transport, you use Johny Mnemonic. I hear he can carry nearly 80 Gigs of data in his head.

Is it really lost?

[Sheetrock]

I'm sure the data's still there. Maybe someone else has access to it, but that doesn't affect the original.

I never really understood why they called it identity theft. Much like I can't understand why they call it "stealing" music. Nothing's actually gone -- it's really more of an identity infringement.

Attach a cost to lost data

[Deep+Fried+Geekboy]

The only way to solve this is to attach a cost to personal data. As soon as you do this, companies will instead of trying to collect as much data as they can, treat it (rightly) as something they should collect as little as possible. Lost data should have a cost to it which sends shudders down the spine of Chief Financial Officers.

I expect this will take a big class action lawsuit, but if I were a company of any size which handled confidential client data, I would be scrambling for a way to reduce my liability.

Data separation

[digidave]

There is no reason why this data needs to be shipped together. Citigroup should keep social security numbers serparate from names, separate from account history, separate from address, etc. All this can be assembled when needed and it would make it much harder to steal useful data or for a criminal to make use of any lost tapes.

Has It Always Been this Bad?

[adavies42]

As this is just another in a long string of weekly "your vital data stolen" stories, I'm starting to wonder: have big companies always been this fucking careless, and it's only due to SOX et al. that we're learning about it now? I'm not even sure which I'd prefer.

*blinks*

[Scum+Puppy]

You have to be kidding me. UPS? To transfer secure information? Where I work, we receive a backup tape from a production system that we load that contains sensitive data. That tape is sent back to my group via Iron Mountain (and we send the old tape back the same way). And this isn't even stuff as high profile as like what's Citigroup apparently lost. When services exist like this to facilitate occasional, VERY important shipments, there's just no excuse using UPS or Fedex. I fear for the free market if this is "business as usual" for it.

Re:*blinks*

[ZephyrXero]

Regardless of who they used, why didn't they have some sort of encryption on the data? I'm not blaming UPS, I'm blaming Citibank...

Re:*blinks*

No, no, no. That would be to much thought.

More than likely they paid a consultant $3.5 million dollars to setup a secure backup system which would work flawlessly. Bought it. Installed it...

And then new IT director-minion-worked-at-walmart-last-week went in to "optimize" the server and kill any "useless" processes that were making it run slow, and killed the encryption process.

And then of course they backup for two years without encryption until they hire a $8 an hour "casual" to "catalog" and "clean up" the archives -- and he discovers that they aren't encrypted. Notifies his boss who really doesn't understand -- and nothing happens.

And then they have a security breach and are "caught off guard". Heads roll, new consultants are hired, and the process begins again.

Well, at least that's what seems to happen where I work.

Nice to know where their priorities lie

[Lead+Butthead]

These are the people that would pay through the nose for armoured car to truck their cash around, but would send huge amount of customer information through UPS.

Re:Nice to know where their priorities lie

[El+Camino+SS]

Well, that is because credit card companies don't care about you on a cosmic level. Damn right they never cared about your data. Hell, they sold it to every company on the planet already!

Why would they? What are you going to do? "Cancel your card? YOU HAVE A BALANCE! MUAAHHAHAHHHAHA! Fraud you say? Yeah, right! I don't care if you have Cancer, get back to work you deadbeat."

Most of America is in a you're-screwed-bonus-round with these jackasses. They give a crap about your data. These are the same generous, kind, and loving souls that sold you out to begin with. Everybody at light-my-fart.com got your name and address from them, why shouldn't they just get the freakin' credit card numbers, too?

Credit card companies are the big banking's little thugs.

Q: What's the difference between a credit card company and a loan shark?
A: Loan sharks tell you up front what they're going to do if you don't pay up.

Look, they never cared. They might feel bad, but I guess they feel bad about it in the same way that Satan would feel bad about killing children in a freeway pileup. "Whoops! *Chuckle*!"

Nothing punitive is ever going to come of this. If you have any doubts, recognize this:
Didn't our wonderful President just sign a bill for you to never be able to declare bankruptcy, even if you get freakin' terminally ill? I wonder who wrote that gem of a law for the people? Hmmmm. The President could give you a NO THANK YOU option on Social Security for the generations that will get nothing. That didn't happen. He wants to FORCE you to put your social security money in a special PRIVATELY OWNED BANK right now, in a way that you can never touch it. Wow. Who put that racket together?!? He's spending every waking moment touring the country supporting that agenda! Golly Gee whiz, I wonder who helped him see the light on that? I for one, trust our corporate masters. They would never screw us over. Never.

Trust me. Nothing will ever come of this. You have been warned.

You break it, you buy it.

[Doc+Ruby]

CitiGroup no doubt spends millions each year on network encryption for data transmitted across WANs. I wonder if the data on these tapes was encrypted? Since they're "backups", I doubt it. Sure, UPS screwed up the sensitive task entrusted to their expert professionals. But CitiGroup took an unacceptable, unnecessary risk by allowing the task to be so sensitive. They should all have to indemnify every exposed CitiGroup customer from identity crimes in perpetuity, including the time the customers spend managing this exposure.

Re:You break it, you buy it.

[DJStealth]

From TFA:

"We deeply regret this incident, which occurred in spite of the enhanced security procedures we require of our couriers," Kevin Kessinger, executive vice president of Citigroup (Research), said in a statement. "Beginning in July, this data will be sent electronically in encrypted form," said Kessinger, who heads the company's consumer finance business in North America.

The above quote implies that currently it is not in encrypted form.

Obvious

[YrWrstNtmr]

Search for 'high security' at ups.com:

Find Results With
The exact phrase high security
Search for "high security" found 0 matches.

As a UPS employee...

[ap0]

I bet we're going to get bitched at tonight to scan all our packages! I load the semi trucks that haul grond packages across the country and don't think any foul play is involved. There are quite a few things that could have happened to it. It might have even ended up in another customer's package if it's very small. We should have been able to find it, though. It's pretty damn difficult for a package to get lost for more than a couple days in our facilities.

Lecture Time

[NetSettler]

Having myself been lectured (and inappropriately, by the way) by Citibank employees about how it's my own fault my credit card interest rates went up (it wasn't, by the way), I hope at minimum that someone sits down the entire senior staff of this company and lectures them like they were children for many hours, making them feel as embarrassed and disrespected as they routinely do to their customers.

And then, just to make the point, they should have to pay not just whatever court-assessed penalties, but that amount plus 24.99% retroactively applied to the entire amount backdated from the time they finally pay all the way back to the time of the incident, just like they're always raising people's interest rates to unreasonable amounts like that even retroactively on purchases already made, and to ensure that they pay in a timely way.

And it goes without saying that reparations should be paid personally by the people who run the company, not passed along to customers.

Re:Lecture Time

[NetSettler]

lemme guess: someone's bitter becuase they signed a contract...

It never occurs to anyone that the Bank, and not me, might be the one who didn't like their end of the contract...

I I got an adverse credit report and they raised my interest. The nature of the adverse report? I had used my card.

Yes, they give you cards at a certain interest rate and if you've never seen it happen, you can use them responsibly, make your payments, etc. and still end up with a "too much unsecured credit" marker from the credit agencies because they decide (after issuing the cards, when they realize you're going to use them) that you borrowed too much (i.e., that they offered you more credit than they meant to). They don't frame it (as they should) as "oops, we didn't mean to authorize that card. They think it's my burden to keep track of that, I guess. And I thought it was just my burden to make the payments.

Have I failed to keep my credit current? Nope. I managed to keep up to date even with the near crippling interest rates. But I did my financial planning based on the smaller interest rate they had originally negotiated with me, not realizing I'd be a bad customer by merely using my cards. I just had some intermediate bloat while I waited to sell my house and needed a large amount of short-term credit to cover some upgrades on the house while it was preparing for sale. I saw my rates jump from single-digits into the 20's.

Why did they do it? Because their economic models said I was a risk and because they could. But then, with all that personalization (by which they mean a "photo on the card") it never occurred them to just call me and talk to me about what was going on in my life and to find out why my balance was high. Some personalization.

First USA (bought by BankOne, then bought by Chase) and MBNA are the absolute worst. Citibank and Sears were intermediately aggressive. They're all suddenly calling me a valued customer and offering me single digit rates again now that my house got sold and I paid some of it back down.

They spend tons of money trying to detect bad customers. They spend nothing trying to detect good customers. You're right I'm bitter.

But, just to stay on topic (which your uninformed, ad hominem attack on me was not, IMO), my real point is that the credit card companies behave in a routinely holier-than-thou way about everything they do involving money, while they soak the public for infinite money. Then on top of large profits, they ask a Republican Congress for a change to the bankruptcy bill because they allege they are being soaked by bankruptcies, even though they're seeing huge profits even before the changes. To listen to these megabanks, they are the victims and we the public are the powerful perpetrators. I just don't see it. So I see no reason not to be quite harsh with them when they screw up.

They Can Be Fined..

[camusflage]

Citibank should be able to be fined for sending unencrypted data via UPS because it might cause an accident.

They can be. GLBA, as it's known in the financial services circles, requires any financial institution to design, implement, and maintain controls to protect customer confidential data, which it appears is what was lost. Whether it's an audit trail for a system running on the network, or encryption when travelling on an unprotected network, GLBA dictates that the highest level of care be used when handling customer data. It is something that we in the banking world take very, VERY seriously.

If they so chose, the FTC, the OCC, the SEC, the CFTC, or state insurance regulators could fine Citigroup for violations of GLBA.

Nothing so paranoid as an ex-C-bank employee...

But I gotta tell you, making sure the box was taped shut before tossing it at a random UPS worker itself was an unusual act of caution, for C-bank. I worked at the ops center for five years, and the statements you fill out are simply dumped into a shredder truck - papers fly everywhere and blow in the wind. Checks, sometimes boxes of them, get lost. A few of my fellow employees were caught stealing and "excused". A few more were never caught.

What, you think there's something special about C-bank? No, they're the rule, not the exception. Every financial institutions cares just about the same amount about your data, and your life - in fact, the only money they really watch out for is the huge sums the company gets to keep for itself - THAT money (and the company's data) gets MUCH more carefully guarded!

My rule these days is, giving away information that you don't have to is like giving whiskey and car keys to a teenager. So apply for the credit card, but just write "disconnected" in the phone number box. Use several free email addresses and make sure they're evenly distributed as contact drops. Make a "mistake" in estimating your exact gross annual income, when reporting it to anybody but the IRS.

The point is not to be subversive, but just to be realistic. The information age has spawned a paper-happy beuracracy driven by bean-counters who want you life history at every other step. Check it yourself - 90% of the data that you go though life writing in little boxes is simply dropped into a filing cabinet unread, unneeded, and ignored. I've gotten driver's licences with no address (just a PO box!), paycheck stubs with no SS number on them (you can ask to get it removed), and once got Household Credit to approve "Barney the Purple Dinosaur" for a credit line of $250. (To the best of my knowledge, the address I did this at *still* gets offers for him...)

Most of the people who key the data from your form to the computer do not even speak English! In fact, the most likely method for your data to be read is for the processing center to OCR-scan (or flat picture scan) it into a computer, where the images can then be beamed to the lowest-bidding Malaysian crack monkey (anywhere in the world) who "reads" the picture of your data and keys it in. And they're feeling the pressure from machine-AI reading programs, which are able to translate more and more of your hand-writing with a higher percent-chance of confidence every day.

Bottom line, if you throw a "Jr" onto your name half the time and half not, or only use your middle initial as the fancy strikes you, you're lying to no-one but an SQL database app, and you're only doing what little is in your power to confuse would-be identity thieves; necessary in a world that will always refuse to protect you!