he story has become all too familiar, and it's the worst fear of banking and credit card customers: A company reports a significant loss of consumer data from theft or loss in shipment. On June 6, 2005, CitiFinancial announced the loss, by the United Parcel Service (UPS), of a box containing tapes of the personal and financial information of 3.9 million customers.

CitiFinancial is the consumer banking division of Citigroup. The company said that it shipped the box a month earlier, from its headquarters in Weehawken, N.J. The box's destination: the data processing office of Experian, a credit reporting agency in Allen, Texas.

On the missing tapes are names, addresses, Social Security and bank account numbers, payment histories and other loan information of Citi customers. "We haven't seen any suspicious activity," said Rob Julavits, Citigroup's Consumer Bank spokesperson. "We let the customers know what was lost and what to look for." To transport the tapes, Citi gave the shipment to UPS on May 2 to process with special security procedures, including scanning bar codes on each package. "There is a special place in the truck, locked in a separate area," Julavits said. Only the barcode on the shipping manifest was scanned, not the individual barcodes, according to Debby Hopkins, Citigroup's Chief Operations and Technology Officer. The box with the tapes could not be tracked individually.

Experian did not report the box missing until it called Citi on May 20 to say that it had not received it. The "boxes were picked up in the possession of UPS and did not go where they were supposed to go," Julavits said.

This Isn't the First Time

The loss of the Citi tapes is the latest in a long line of consumer data breaches this year alone. San Diego, Calif.-based Privacy Rights Clearinghouse (PRC) compiled a chronological list of data breaches that have taken place since identity thieves compromised 145,000 records at data broker ChoicePoint in February. (See "Thieves Gain Access to 145,000 Consumer Records," The Green Sheet, Feb. 28, 2005, issue 05:02:02).

The PRC counts 43 breaches and estimates that these affected the personal consumer data of more 9.6 million people.

Over the past five months, affected companies have reported the breaches. Not limited to banks, compromises have occurred at almost all types of institutions that store consumer data. However, the types of breaches and the compromised companies cannot all be lumped into one category.

In addition to ChoicePoint, consumer data at LexisNexis were hacked; Bank of America Corp. (BofA) and media conglomerate Time Warner lost backup tapes with the information of 1.2 million and 600,000 people respectively; retailer Polo Ralph Lauren's systems were hacked; scores of universities including the University of California at Berkeley and Boston College suffered from stolen computers and hackers.

We're Lucky We Know

Until very recently, notifying individuals that their information was compromised was not a legal requirement and certainly not something that the company at fault was ready and willing to do. (Although not all data breaches are the same, there are no exceptions to the notification requirements). A California law that went into effect July 2003 stipulates this notification requirement.

A company must inform any person residing in the state of a data security breach involving his or her information, even if the company operates somewhere else.

This law though, in an era of cross-border business, has had quite an impact throughout the country. Five other states, Arkansas, Georgia, Washington, North Dakota and Montana, have enacted similar laws, while Sen. Dianne Feinstein (D-CA) has proposed one at the federal level.

Data compromise has been occurring well before February. "Not only [have data breaches] been building steam, but for every one breach, there are four that go unreported," said John Oltsik, a Senior Analyst with Enterprise Strategy Group, an analyst firm focused on storage and information management.

Oltsik said that sometimes people never find out if their personal information has been compromised. He said his firm is hearing a lot more about it right now because of disclosure compliance issues in the media.

Although Citigroup is now in the process of notifying all 3.9 million people affected, it took the company almost a month to begin that process. ChoicePoint, which began informing people in February, actually learned of the breach in November 2004.

The Problem

The large sums of data that major banks and other companies possess are usually stored on magnetic tapes, according to Joe Austin at JPR Communications, an IT public relations firm. In order to protect this information, the tapes are hauled offsite to depositories every day.

The danger, Austin said, lies in the loss of tapes during transport and the fact that 95% of them are not encrypted because it's faster for the companies to access the data when needed.

According to a recent study by the Enterprise Strategy Group, 80% of companies still back up to tape. Only 7% always encrypt their data and 60% admittedly never encrypt their backup files.

"No one knows how to protect the data, or where it is or how many copies of it there are," Oltsik said. He said it is difficult to track because often it is used by multiple systems with few restrictions. "Very few companies have classified their data or [enacted] policies on the use of the data."

The Solution

To ensure that the tapes and their data are not lost or stolen, companies must encrypt the information and eliminate hardcopies. To do this, Austin said businesses need to store the information on a special hard drive and use specifically designed software to transfer it over the Wide Area Network (WAN), or business Internet.

When asked about Citigroup's efforts to encrypt data, Julavits said, "As a company we are moving towards direct electronic transmission." He added that although the original lost tapes were not encrypted, "specialized equipment is necessary" to gain access to the information on them.

Most divisions within Citigroup have already completed the transferal of consumer data to this method. The CitiFinancial unit will have this complete by July. The company planned the conversion to encrypted electronic data transmission for the consumer banking unit for this time before the breach occurred, Julavits said.

"Customer security is of paramount importance to Citigroup," Hopkins said. "While this incident affects the customers of only one of our businesses, we put significant effort into assuring that our data protection procedures meet and exceed industry standards at all of our businesses, and are reviewing the issues here as part of this ongoing effort."

Oltsik said that with the issue on the tip of Americans' collective tongue, 43% of companies are now looking for new ways to address storage security. "They are playing catch-up, but that is a long and difficult game," he said.