CitiFinancial, the consumer finance division of Citigroup Inc., said Monday it has begun notifying some 3.9 million U.S. customers that computer tapes containing their personal data had been lost.
New York-based Citigroup said the tapes were in a box shipped in May via UPS Inc. from a Citigroup facility in Weehawken, N.J. to an Experian credit bureau facility in Allen, Texas. Data on the tapes included account information, payment histories and Social Security numbers.
The data involved only information on consumers who had taken out loans with Citibank, such as personal loans or debt consolidation loans, according to the firm. Savings and checking account customers were not impacted, the firm said.
Most of the impacted consumers are current Citibank loan customers, but about 55,000 of the records on the tape involved consumers with closed accounts, a Citibank spokesman said. The firm said customers of its CitiFinancial Auto, CitiFinancial Mortgage or other Citigroup businesses were not impacted.
In a statement, Citigroup said that CitiFinancial “had no reason to believe that this information has been used inappropriately, nor has it received any reports of unauthorized activity.”
Norman Black, a spokesman for Atlanta-based UPS, confirmed that the tapes were missing.
“Despite an exhaustive search for this package, we’ve been unable to find it,” Black said.
Citigroup's announcement came just as the nation's top security experts gathered in Washington D.C. for an annual conference sponsored by research firm Gartner. Experts expressed surprise and dismay at the news.
"This is really inexcusable," said Gartner analyst Avivah Litan. "This is security 101. This shows just how out of control all this data is."
The announcement was just the latest in a series of data losses or breaches that have forced financial institutions and other data collectors to warn customers that their personal information may be at risk.
Last month, containing data on 600,000 current and former employees were lost by an outside data storage firm. Also in May, both headquartered in Charlotte, N.C., were notified that their financial records may have been stolen by bank employees and sold to collection agencies. Police officials say may be affected in all. And in April, online discount broker that a backup computer tape with personal information had been lost.
Kevin Kessinger, executive vice president of Citigroup’s Global Consumer Group and president of Consumer Finance North America, told The Associated Press that the tapes left CitiFinancial on May 2 and were discovered missing on May 20. Senior managers were notified May 24. The Secret Service was told of the loss of the tapes on May 27 and began investigating.
Kessinger said the bank’s letter encouraged consumers to review activity on all their accounts to make sure nothing suspicious was occurring. He said CitiFinancial also was arranging for all affected customers to sign up free of charge with a credit monitoring service for 90 days. And, he said, if a customer is victimized, they will get free help from Citigroup’s Identity Theft resolution service.
Customers who are concerned about identity theft should visit the local CitiFinancial branch, or call 866-452-2484.
“Clearly we regret that this happened with our customers,” Kessinger said. “We’re trying to be upfront — to communicate and to talk about what the issues are.”
Gartner's Litan said consumers deserve more than 90 days worth of the service, however, since many identity thieves squirrel away stolen data for months before using it.
"This is a mediocre response, they are throwing people a bone," she said. "Three to five years would have been more meaningful."
CitiFinancial said in its statement that the data loss “occurred in spite of the enhanced security procedures we require of our couriers.”
It said there was little risk of the accounts being compromised because most customers already had received their loans and that no additional credit could be issued without the customers’ approval.
However, since the tapes include personal identification information such as Social Security numbers, thieves who managed to access the data could open accounts at other financial institutions or commit a wide array of identity theft crimes.
Account information is sent regularly by financial institutions to credit bureaus to keep consumer credit reports up to date. In the past, all firms sent such tapes to the credit bureaus, though now many firms send the information electronically. In an Internet-based seminar last month, Experian, the credit bureau to which the lost data was headed, specifically recommends electronic delivery.
Debby Hopkins, chief operations and technology officer for Citigroup, said that the tapes were produced “in a sophisticated mainframe data center environment” and would be difficult to decode without the right equipment and special software.
Hopkins said that most Citigroup units send data electronically in encrypted form and that CitiFinancial data will be sent that way starting in July.
Tumbleweed Communications Corp. performs such encrypted data transmissions for eight of the top 10 financial institutions, including Wells Fargo and Bank of America, according to CEO Jeff Smith. He said the CitiFinancial incident points out a bit of any irony — in this case, transmission over the Internet is more secure than old-fashioned means. Citigroup is not a customer, he said.
"If you send it encrypted directly, we're going to pull people and third parties out of the process. When you do that, you are less susceptible to fraud," Smith said. "It's also a lot cheaper than UPS."
MSNBC.com's Bob Sullivan, The Associated Press and Reuters contributed to this report.