Customer Data Lost, Citigroup Unit Says

By Jonathan Krim
Washington Post Staff Writer
Tuesday, June 7, 2005

A unit of financial services giant Citigroup Inc. said yesterday that a box of computer tapes with account information for 3.9 million customers had been lost in shipment, exposing a vast new swath of Americans to the increased possibility of identity theft.

The announcement from CitiFinancial, a subsidiary that provides personal and home equity loans, pushes to more than 6 million the number of U.S. consumers whose personal data have been lost or stolen in just the past six months. The spate of breaches has included federal agencies, universities, banks and other financial institutions, data brokers and data-storage companies.

CitiFinancial officials said the company does not know whether the box was stolen and is treating it as lost. The data contained names, addresses, Social Security numbers and loan-account data, but a spokesman said there is no evidence the data have been misused.

Nonetheless, the company sent out letters to all of its U.S. customers warning them to watch their financial accounts for suspicious transactions and offering a 90-day service to alert them if someone tries to establish credit in their name.

Company video cameras show United Parcel Service Inc. picking up the box of computer tapes May 2 at a CitiFinancial facility in Weehawken, N.J., according to Kevin Kessinger, executive vice president of Citigroup's Global Consumer Group. But he said the driver did not scan the box when he picked it up, in violation of extra security measures UPS had agreed to take.

CitiFinancial did not know for nearly three weeks that the box failed to arrive at its destination. UPS officially declared it missing May 24, Kessinger said. The tapes were headed for Experian Information Solutions Inc., one of the nation's three large credit-reporting companies. Financial institutions routinely send their data to these firms, which serve as clearinghouses for merchants that want to know if consumers are worthy of receiving credit.

CitiFinancial held off notifying customers until yesterday at the request of the U.S. Secret Service, which is investigating.

Kessinger said he was frustrated and disappointed that CitiFinancial's security requirements were not followed by UPS.

"We deeply regret this happened," Kessinger said.

Norman Black, a spokesman for UPS, declined to comment on specifics of the case.

"We have conducted an exhaustive search through our entire U.S. network," Black said. "We can't find it." He added that UPS has no evidence the box was stolen and that on rare occasions shipping labels can get torn off or be rendered illegible.

CitiFinancial and other Citigroup units have been preparing to encrypt such data and transmit it electronically instead of by freight, officials said. The company expects to complete that transition this year.

Consumer information like that on the tapes is an increasingly valuable commodity in a world of electronic commerce, with Social Security numbers serving as a key for access to financial accounts. While some high-profile data breaches have been the result of online attacks by thieves infiltrating networks, more low-tech methods can be just as effective, such as stealing computers or tricking people into releasing sensitive information. Or the data can simply go missing.

Last month, a data storage company lost information on 600,000 current and former employees of Time Warner Inc. In February, Bank of America Corp. reported it had lost tapes containing data on 1.2 million federal employees, including some U.S. senators.

The breaches have thrown a spotlight on the active marketplace for personal data and prompted calls for congressional action to impose limits such as restricting the availability of Social Security numbers.

© 2005 The Washington Post Company