In one of the largest breaches of data security to date, CitiFinancial, the consumer finance subsidiary of Citigroup, announced yesterday that a box of computer tapes containing information on 3.9 million customers was lost by United Parcel Service last month, while in transit to a credit reporting agency.
Executives at Citigroup said the tapes were picked up by U.P.S. early in May and had not been seen since.
The tapes contained names, addresses, Social Security numbers, account numbers, payment histories and other details on small personal loans made to millions of customers through CitiFinancial’s network of more than 1,800 lending branches, or through retailers whose product financing was handled by CitiFinancial’s retail services division.
The company said there was no indication that the tapes had been stolen or that any of the data in them had been compromised.
It was, however, the latest in a series of recent data-security failures involving nearly every kind of institution that compiles personal information – ranging from data brokers like ChoicePoint and LexisNexis to financial institutions like Bank of America and Wachovia to the media giant Time Warner to universities like Boston College and the University of California, Berkeley.
All these institutions have reported data breaches in the last five months, affecting millions of individuals and spurring Congressional hearings and numerous bills aimed at improving security in the handling of sensitive consumer information. The fear is that Social Security numbers, when combined with a consumer’s name, address and date of birth, can be used by thieves to open new lines of credit, secure loans and otherwise steal someone’s identity.
Whether the recently reported breaches indicate an epidemic of data loss is unclear. Many privacy and security advocates have suggested that a California law, requiring that consumers be notified of data security breaches, has led to more confessions of data losses and increased awareness of a longstanding problem.
Much more in the article. If not logged in NY Times will pause for an ad before showing you the article … at least today. May need to login to see it later…unsure?!
Thanks to Klok for passing this info along.
Even though there is no ‘evidence’ to prove what happened to the data – whether it was stolen or ‘just’ lost – it is still very unnerving to know it could be in the hands of those who would abuse that knowledge, and if so, was it a valid UPS truck that picked up that data?!
It is getting to the point where any form of identification these days is suspect because of the number and magnatude of security breaches among those who are ‘supposed’ to be protecting that information.
And the worst part? These types of thefts and security issues and terrorism is what made RealID possible. Now that’s sad.