Personal Data for 3.9 Million Lost in Transit

By TOM ZELLER Jr.

In one of the largest breaches of data security to date, CitiFinancial, the consumer finance subsidiary of Citigroup, announced yesterday that a box of computer tapes containing information on 3.9 million customers was lost by United Parcel Service last month, while in transit to a credit reporting agency.

Executives at Citigroup said the tapes were picked up by U.P.S. early in May and had not been seen since.

The tapes contained names, addresses, Social Security numbers, account numbers, payment histories and other details on small personal loans made to millions of customers through CitiFinancial's network of more than 1,800 lending branches, or through retailers whose product financing was handled by CitiFinancial's retail services division.

The company said there was no indication that the tapes had been stolen or that any of the data in them had been compromised.

It was, however, the latest in a series of recent data-security failures involving nearly every kind of institution that compiles personal information -- ranging from data brokers like ChoicePoint and LexisNexis to financial institutions like Bank of America and Wachovia to the media giant Time Warner to universities like Boston College and the University of California, Berkeley.

All these institutions have reported data breaches in the last five months, affecting millions of individuals and spurring Congressional hearings and numerous bills aimed at improving security in the handling of sensitive consumer information. The fear is that Social Security numbers, when combined with a consumer's name, address and date of birth, can be used by thieves to open new lines of credit, secure loans and otherwise steal someone's identity.

Whether the recently reported breaches indicate an epidemic of data loss is unclear. Many privacy and security advocates have suggested that a California law, requiring that consumers be notified of data security breaches, has led to more confessions of data losses and increased awareness of a longstanding problem.

[TELECOM Digest Editor's Note: I'll tell you the latest thing the phishers are doing: A phisher dressed up like a UPS delivery man or Federal Express person shows up at the company to get the daily shipment to the credit bureaus (yes, it is a _daily_ transfer). The person of course has no connection to the delivery service; he just does what is called 'reverse engineering' or 'social engineering' on the bank employees responsible for making the transfer of the tapes.

A variation on this happened a number of years ago when two guys dressed as postal employees showed up at the Amoco Oil Company credit card office in the (presumably secure) area where new plastics were issued and mailed out to new customers. Because Amoco had been tipped off the day before that this was going to happen, they were able to prevent it with FBI guys on hand to arrest the pair who were posing as postal workers coming to get the daily output of fresh cards to go in the mail. I am surprised the phishers have not thought of this before: rather than one by one trying to trick information out of people, instead trick the relative handful of people in charge of data transfer between bank and credit bureau. PAT]