Citibank admits: We've lost the backup tape

The Register ^ | Tuesday 7th June 2005 | Andrew Orlowski

[softengine]

The retail finance division of Citigroup has admitted that a backup tape containing personal information on almost 4 million customers has gone missing. The United Parcel Service lost the tape on May 2nd, and it hasn't been seen since. CitiFinancial only noticed the tape was missing on May 20. The tape contains Social Security numbers and transaction histories on both open and closed accounts at the bank’s lending branches.

Citigroup says it has no reason to believe the tape has been stolen, but alarmingly, the tape hasn't shown up at any UPS depot despite six weeks of searching.

The company admitted that it doesn't use encryption on its electronic transmissions, nor explained why it took so long to notify the public.

Earlier this year a backup tape belonging to Ameritrade went astray, with personal information on 200,000 customers; Time Warner lost a tape containing information on 600,000 individuals, and Bank of America and Wachovia suffered a data breach affecting 100,000 customers each in May.

Customers are advised to call 866-452-2484 ®

[pabianice]

So? What's the worst that could happen?

[mewzilla]

Citibank is *my* bank!

You know, my mattress is startin' to look pretty good...

[RockinRight]

Well isn't this forking wonderful. I have THREE Citibank accounts...two credit cards and a personal loan...

[BigSkyFreeper]

LOL! That too!

[umgud]

It don't matter........ I figure the only reason we don't have more ID theft is because we don't have enough talented crooks. In this day and age, financial data is soooo easy to get, I'm amazed the system hasn't collapsed due to bilking.

[littlelilac]

my limited understanding is that in Canada that the major banks here operate parallel central computer systems so if one goes down, the other system can continue whilst the other system is being repaired

[tophat9000]

Agreed. I've worked at several banks and the backups weren't encrypted. But the tapes were hand-couriered to and from the "iron mountain" offsite storage and checked in/checked out on both ends. We never sent them via common carrier!

Speaking of bank screwups, a very large bank who shall remain nameless keeps sending me CDs of customer data for the wrong company. I've told them repeatedly to cease and desist but it happens 2 or 3 times a year.

I know this is just very sloppy "rookie" type IT mistake...as an FE the first thing I learned is Customer data is SACRED!...this is the complete (potentially irreplaceable) business on these tapes...physically treat them as such... but I've seen this kind of dumbness before...you burn, you learn

[combat_boots]

So exactly what DO they do for security then, and what IS the frequency Kenneth?

[Ghost of Philip Marlowe]

"The United Parcel Service lost the tape on May 2nd..."

I hope someone sues that POS company out of existence. Every single time I've used their "delivery service," the order has been damaged or otherwise gone awry.

Oh, but they can fill out one of those post-it "We were here" forms faster than you can put your coffee mug down and walk to the door. They're excellent at filling out those notices.

[chainsaw]

I don't use UPS anymore. They lost a package of mine several years ago and I was never reimbursed a nickle for it. Red tape was the reason I didn't pursue the matter.

[RightWhale]

Commercial software is very conservative. That is, prehistoric. Same in the medical industry. ASCII screens, still. It must have something to do with the nature of the customer.

[chainsaw]

I suppose your correct. That is one way to keep him/her from the problem again.

It is stupid for not having a backup especially when it's being sent out of house.

[quantfive]

"If you knew some of the stuff that I have seen about the data that banks have sent through UPS without encryption or security safeguards or even checking out where they are sending it, you'd drop a cinder block."

Yeah, it will take all 4 million customers getting whacked for $2 billion dollars before the banks wake up. My private bank sent me a new credit card after they reported all 35,000 customers had their data stolen. This happened 3 months ago.

[Yo-Yo]

"The company admitted that it doesn't use encryption..."

The encryption is the fact that you have to have exactly the right tape drives and mainframe computer to even read these tapes. You don't just shove 1" reel to reel tape into your A:\ drive.

[SoDak]

/bin/rm -r /usr/citibank/mycard

[UnbelievingScumOnTheOtherSide]

I figure the only reason we don't have more ID theft is because we don't have enough talented crooks.

The silver lining to our pathetic education system.

[Continental Soldier]

Is there any reason why CitiBank shouldn't be the subject of some very serious litigation in this matter? How dare they just blow it off by giving out a phone number to call?! It may be time to put to the fire the feet of one of the country's greatest userers!

[todd1]

If it wasn't for Sarbanes Oxly they would have never said anything about this. This is a huge compliance issue.

[todd1]

They should have had IRON mountain pick up the tapes. But I am sure they were going on the cheap.

[NetValue]

The lawsuits would have to show financial damage to clients because the bank was negligent in using a plain-text tape and sending it via UPS. UPS has a liability too just for losing the tape. Considering the posible number of clients and the possible extent of financial damage, the bank's and UPS' liability could be ruinous to both.....billions IMHO.