By TOM ZELLER Jr.
June 7, 2005
In one of the largest breaches of data security to date,
CitiFinancial, the consumer finance subsidiary of Citigroup, announced
yesterday that a box of computer tapes containing information on 3.9
million customers was lost by United Parcel Service last month, while
in transit to a credit reporting agency.
Executives at Citigroup said the tapes were picked up by U.P.S. early
in May and had not been seen since.
The tapes contained names, addresses, Social Security numbers, account
numbers, payment histories and other details on small personal loans
made to millions of customers through CitiFinancial's network of more
than 1,800 lending branches, or through retailers whose product
financing was handled by CitiFinancial's retail services division.
The company said there was no indication that the tapes had been
stolen or that any of the data in them had been compromised.
It was, however, the latest in a series of recent data-security
failures involving nearly every kind of institution that compiles
personal information - ranging from data brokers like ChoicePoint and
LexisNexis to financial institutions like Bank of America and Wachovia
to the media giant Time Warner to universities like Boston College and
the University of California, Berkeley.
All these institutions have reported data breaches in the last five
months, affecting millions of individuals and spurring Congressional
hearings and numerous bills aimed at improving security in the
handling of sensitive consumer information. The fear is that Social
Security numbers, when combined with a consumer's name, address and
date of birth, can be used by thieves to open new lines of credit,
secure loans and otherwise steal someone's identity.
Whether the recently reported breaches indicate an epidemic of data
loss is unclear. Many privacy and security advocates have suggested
that a California law, requiring that consumers be notified of data
security breaches, has led to more confessions of data losses and
increased awareness of a longstanding problem.
"I think what we're seeing is a situation that's been going on for a
long time," said Beth Givens, director of the Privacy Rights
Clearinghouse, an advocacy group in San Diego, "and one which has only
been made visible by California's law."
The California law, which went into effect in July 2003, requires
state government agencies as well as companies and nonprofit
organizations - regardless of where in the country they do business -
to notify California customers if the personal information maintained
in their data files has been compromised.
Yet in an age of transnational banks, Internet commerce and giant data
aggregators, notifying only California residents when data on
consumers all over the country is potentially lost or compromised has
proved to be a public relations impossibility. (ChoicePoint was widely
accused of planning to notify only California residents when it
learned that information on at least 145,000 Americans had fallen into
the hands of thieves; the company, however, said it was planning on
nationwide notification all along.)
Now, with each week bringing new reports of data loss, whether because
tapes fell off the back of a U.P.S. truck or because data was
electronically stolen by hackers or thieves, at least five other
states - Arkansas, North Dakota, Georgia, Montana and Washington -
have passed similar notification laws. As of last month, dozens of
other states were considering similar laws.
In the most recent incident, Citigroup executives say the box
containing the tapes was handed over to U.P.S., along with other items
for shipping, on May 2, under "special security procedures" that the
bank required of the courier. One of those special procedures, said
Citigroup's chief operations and technology officer, Debby Hopkins,
included scanning the bar code on each package, rather than scanning
only the single bar code on the shipment manifest, which is a summary
document listing all the packages being moved in one shipment.
According to Ms. Hopkins, just the summary document was scanned for
the box, which was picked up in Weehawken, N.J., so U.P.S. was unable
to track where in the delivery chain the box was lost. It was not
until May 20 that an employee of Experian, the credit reporting agency
that was to receive the tapes, called CitiFinancial to report that
they had not arrived at Experian's data-processing center in Allen,
Tex. An investigation by U.P.S. failed to locate the package.
CitiFinancial has notified the Secret Service, which is called
whenever there is a compromise of financial data. The agency is
investigating the incident, and CitiFinancial has begun sending
letters to all 3.9 million customers advising them of the loss and
offering them 90 days of free enrollment in a credit-monitoring
service. Other institutions with data-loss problems have also offered
free credit-monitoring services, some for as long as a year.
A spokesman for U.P.S., Norman Black, would not go into specifics on
where or how the security system broke down, but said the courier was
continuing its investigation. Mr. Black said blame ultimately lay with
"They tendered us a package and expected it to be delivered in the
reliable way that we always do," he said, "and we had to go back to
them and tell them that we can't find it."
Mr. Black said that an exhaustive search of all U.P.S. facilities
nationwide had turned up no sign of the package. "It's rare that it
gets to the point where we can find no trace of it," he said.
A spokesman for Experian, Donald A. Girard, said he had never seen an
instance of a shipment of this kind simply disappearing, although he
added that he and other credit agencies had been encouraging financial
institutions to convert from tapes to encrypted electronic delivery of
"Experian has been actively working for quite a while with all major
data contributors to convert to electronic data transference," Mr.
Girard said, "to mitigate risk in this process."
Ms. Hopkins of Citigroup said that most of the company's divisions
already did this, and that the CitiFinancial unit is scheduled to
convert to such electronic transfers in July.
She also said that the missing tapes, which were not encrypted, were
created using mainframe-type computers and highly specialized hardware
and software that would make it difficult - though not impossible - to
extract data from them.
And Ms. Givens of the Privacy Rights Clearinghouse said, "Your
everyday dumpster diver may not know what to do with these tapes, but
if these tapes ever find their way into the hands of an international
crime ring, I think they'll figure it out."
Attend the Black Hat Briefings and
Training, Las Vegas July 23-28 -
2,000+ international security experts,
10 tracks, no vendor pitches.