"We keep our customer's information secure.........."

[StarOfAfrica2]

As if identity theives didnt have enough ways to steal your life.  Lets just make it easier!

Citigroup Inc. said a cardboard box containing computer tapes with personal information on 3.9 million customers of its storefront consumer-finance unit was lost by United Parcel Service Inc., despite "enhanced security procedures" to protect such information.

The incident, which involves names, Social Security numbers, account numbers and payment histories of all U.S. customers and some former customers of the CitiFinancial branch network, appears to be the largest of a string of recent mishandlings by large corporations of personal information about customers and employees. As such, it is likely to fan growing outrage from consumer groups to Capitol Hill about what companies are doing to prevent identity theft and why such information isn't routinely encrypted.

Citigroup said there was no evidence that the tapes had been stolen or that the loss of data had resulted in any fraud, and contended that there was little risk that the accounts would be compromised. Nevertheless, the blunder constitutes a major embarrassment for both the big financial-services firm, which has built a large marketing effort around identity-theft protection, and the Atlanta-based shipping giant, which boasts of its ability to track packages closely.

"We sincerely regret that we weren't able to find this package" after an "exhaustive search," a UPS spokesman said. "We've been unable to find any trace of it." The missing box was part of a May 2 monthly shipment of customer information from a CitiFinancial data center in Weehawken, N.J., to a Texas office of credit agency Experian, part of GUS PLC of Britain. Citigroup concluded the box was missing May 24.

The incident continues a drumbeat of disclosures that have raised questions about whether large companies are getting sloppier in their handling of such sensitive information. Last month, Time Warner Inc. said that computer tapes containing personal information of about 600,000 current and former employees was lost, apparently during a truck ride to a data-storage facility. In December, Bank of America Corp. said backup computer tapes containing information on 1.2 million federal employees were lost while being moved by a commercial airline from a bank facility to a data-storage facility.

Jay Foley, co-executive director of the Identity Theft Resource Center in San Diego, a nonprofit that assists victims of identity theft, doesn't attribute the spate of disclosures to deteriorating corporate security, but to a fear by large companies that an increasingly troubled public will turn against them if they keep such breaches secret. In addition, a California law that went into effect in 2003 mandates the disclosure of security breaches if information such as Social Security or bank-account information is disclosed, and such disclosure doesn't compromise an investigation. Citigroup said this California law applied to the recent loss.  
 
Kevin Kessinger, president of Citigroup's North American consumer-finance operations, maintained that the data loss presented "little risk" that the accounts involved would be compromised. CitiFinancial caters to customers with low credit ratings who turn to its branches for unsecured personal loans, for financing for retail purchases, and for mortgages. Mr. Kessinger argued that such customers had already received their loans, affording no opportunity for anyone else holding their account information to withdraw more.

But consumer advocates point out that lost names and Social Security numbers can make their way into the hands of thieves who use the information for other forms of fraud. "The risk is when someone has your name and Social Security number, he can go out and open accounts that you don't know anything about," said Mr. Foley.

Mr. Kessinger acknowledged the possibility. "If there was zero risk, we wouldn't be talking," he said. CitiFinancial has begun mailing letters to all 3.9 million U.S. customers alerting them to the problem and offering advice to protect themselves from potential fraud, including a free three-month enrollment in a credit-monitoring service. The breach didn't involve customers of CitiFinancial Auto or CitiFinancial Mortgage.

Debby Hopkins, Citigroup's chief operations and technology officer, said the tapes were lost in spite of beefed-up security measures put in place after an embarrassing breach that occurred in Singapore in February 2004. In that case, data on about 120,000 customers of Citigroup's Japanese retail bank literally fell out of a truck when a third-party courier left the back open. The incident infuriated Japanese regulators, although Ms. Hopkins said no customer accounts were compromised as a result.

The slip-up prompted Citigroup to overhaul the way it handles such information, Ms. Hopkins said. The bank is now in the process of shifting, department by department, from physically shipping such data to encrypted electronic transmission. The process, she said, is about one-third complete, and CitiFinancial is scheduled to make the shift in July.

On an interim basis, Citigroup said, it had beefed up security for the shipment of such data. It required couriers such as UPS, for example, to handle all such packages by hand, and not rout them through any bulk sorting systems.

The lost box was part of a multibox shipment that was supposed to be subjected to the enhanced security. According to Ms. Hopkins, the UPS driver violated procedures when he "didn't scan this specific box, but a summary document" listing all of the boxes. As a result, it was difficult to trace the missing box. "We don't have the specifics of how far this box got, because the remaining boxes got through," Ms. Hopkins said.

The UPS spokesman declined to comment on Citigroup's account, or on the specifics of its attempt to trace the package.

Citigroup said it had alerted law-enforcement officials, including the Secret Service, which is charged with investigating identity-theft fraud.