CitiFinancial plans to begin encrypting data and sending it to credit bureaus electronically after data tapes containing the personal information of 3.9 million customers were lost by UPS.
CitiFinancial has begun notifying its Branch Network customers of the loss. The tapes contain customer names, Social Security numbers, account numbers and payment history.
"We and other lenders provide this information each month to credit bureaus to ensure that your credit report remains accurate and up-to-date," the bank wrote in the letter to customers. "We send the information via nationally recognized couriers and require them to use enhanced security procedures to transport the tapes from our data center to the bureaus. Nonetheless, during a recent delivery, one of these couriers lost one box of tapes. Beginning next month the information we provide to credit bureaus will be sent via direct encrypted electronic transmission."
The tapes contained information about CitiFinancial branch network customers in the U.S. as well as customers with closed accounts from CitiFinancial Retail Services. CitiFinancial said it has no reason to believe that the information has been used inappropriately, nor has it received any reports of unauthorized activity.
"We deeply regret this incident, which occurred in spite of the enhanced security procedures we require of our couriers," Kevin Kessinger, executive vice president of Citigroup Global Consumer Group and president of Consumer Finance North America, said in a statement. "There is little risk of the accounts being compromised because customers have already received their loans, and no additional credit may be obtained from CitiFinancial without prior approval of our customers, either by initiating a new application or by providing positive proof of identification. Beginning in July, this data will be sent electronically in encrypted form."
It is not clear how much CitiFinancial and Citigroup use tape backup for other purposes, and how much of that will be replaced with electronic encrypted backup. Calls to the company were not returned by press time.
Because of high-profile incidents like the one revealed Monday by CitiFinancial, data privacy and security issues have been growing in importance, with Congress moving toward a national data privacy law. Many of the revelations of data security breaches have come because of a California law requiring that such breaches be disclosed to California residents; Congress is modeling its national efforts in part on that law.