CitiFinancial 'Deeply Regrets' Customer Info Breach

CitiFinancial is mailing letters to 3.9 million of its U.S. customers, informing them that computer tapes holding personal information including names, Social Security numbers, account numbers, and payment history are missing. The tapes contained information about CitiFinancial branch network customers in the United States, and customers with closed accounts from CitiFinancial Retail Services. CitiFinancial is the division of Citigroup that provides consumer loan products and services. The letter states "the situation arose during the routine shipment of computer tapes to a credit bureau," but published news reports say a box containing the tapes, picked up May 2 from Weehawken, NJ, via UPS, was lost enroute to an Experian facility in Texas. CitiFinancial learned of the missing tapes on May 24, and contacted the Secret Service on May 27 following its internal investigation, according to reports. Information it provides to credit bureaus will be sent electronically in encrypted form starting in July, according to Kevin Kessinger, executive vice president of Citigroup's Global Consumer Group, and president of Consumer Finance North America. "We deeply regret this incident, which occurred in spite of the enhanced security procedures we require of our couriers," Kessinger said in a statement. "There is little risk of the accounts being compromised, because customers have already received their loans, and no additional credit may be obtained from CitiFinancial without prior approval of our customers, either by initiating a new application or by providing positive proof of identification." The financial services company's data security woes makes the company the latest to be added to the list of other marquee names to have customer information either lost or stolen, including Bank of America, Wachovia, and Time Warner. Wayne Eckerson, director of research and services at The Data Warehousing Institute (TDWI), says companies are not devoting enough attention to securing customer data. "Companies don't know how valuable an asset is until something goes wrong," he says. "These are a series of wakeup calls to organizations anywhere that they need to start treating data as a valuable corporate asset, as valuable as any of the other things they have on their balance sheet as assets. We're talking about jeopardizing customer relationships, as well as potential lawsuits and loss of business." Shy of locating the tapes and preventing them "from getting into the wrong person's hands," Eckerson says, "there's not a heck of a lot they can do," to make customers feel more secure. Although CitiFinancial entrusted a partner with its data, Eckerson warns that customer companies are not excused from ensuring that processes are running smoothly. "Ultimately you not only have to sign good contracts with your partner, you have to manage and audit them and make sure that their processes are failsafe," he says. In times of crisis the amount of incoming inquiries will increase. Donna Fluss, principal of DMG Consulting, urges organizations to immediately notify all customer-facing employees and to arm them with very detailed and scripted answers to questions. "It needs to be not just information the company wants to give the customers--answers have to address the inquiries that will come in. If the organization doesn't provide agents with answers to the tough questions that the customers are going to be asking, then they're going to leave the call or contact center agents or other customer-facing people to be creative with their answers, and that's not a situation that they want." Related articles: AOL Tightens Its Phishing Net The Internet service turns to financial security specialists to protect customers as fraud and online security issues continue to grow. Experian Delivers Small-B2B Marketing Intelligence Consumers May Face Increased Risk of Identity Theft