Citibank, 3,900,000 SSNs, unencrypted tape
[Update: Bruce Schneier has an important update in “E-Hijacking.” Thanks to Chris for pointing this out.]
CNN is reporting that Info on 3.9M Citigroup customers lost.
Citigroup said Monday that personal information on 3.9 million consumer lending customers of its CitiFinancial subsidiary was lost by UPS while in transit to a credit bureau — the biggest breach of customer or employee data reported so far.
Citigroup, the nation’s biggest financial services company, said that UPS lost the tapes while shipping them to a credit bureau in Texas.
The tapes covered CitiFinancial customers and about 50,000 customers with closed accounts from CitiFinancial Retail Services. Customers of CitiFinancial’s auto and mortgage businesses were not affected.
…CitiFinancial is inviting customers to enroll via a toll-free number, 1-888-469-8603, in a free credit monitoring service for 90 days. It said it earlier enrolled the customers in a separate service to help prevent identity theft.
Citigroup’s official statement is U.S.: CitiFinancial Statement on Lost Data Tapes. I ask: 90 days? How about “until we find the tape?” The Wall St Journal article, Citigroup Says Data Lost On 3.9 Million Customers confirms the data wasn’t encrypted:
“The likelihood of having the information compromised is very remote given the type of equipment that is required to read it,” Debby Hopkins, Citigroup’s chief operations and technology officer, said in an interview. “Additionally, the information is not in a format that an untrained eye would even know what to look for.”
Oh, the irony.
Thanks to Pete Spire Lindstrom for asking why I’m not on this yet.
Hard to say how often backup tapes mysteriously disappeared back before it was hip to talk about it in the papers, but it sure seems like they tend to walk away alot lately.
Some enterprising journalist should ask Citi (or BoA) what their history has been. Are tapes with PII “lost” more often?