Citigroup loses data on 3.9 million customers

The banking firm has written to customers whose information was stored on computer tapes that were lost last month by courier UPS in transit to a credit office.

Kevin Kessinger, Citigroup's president of consumer finance in North America, said: "We deeply regret this incident, which occurred in spite of the enhanced security procedures we require of our couriers.

"There is little risk of the accounts being compromised because customers have already received their loans, and no additional credit may be obtained from CitiFinancial without prior approval of our customers, either by initiating a new application or by providing positive proof of identification. Beginning in July, this data will be sent electronically in encrypted form."

The tapes contained US customer data from CitiFinancial branch network operations and CitiFinancial Retail Services. The company said the tapes did not contain information from CitiFinancial Auto, CitiFinancial Mortgage or any other Citigroup business.

The company also believes the data has not been compromised and that none of the tapes contained details of CitiFinancial network customers in Canada or Puerto Rico.

"We are making every effort to ensure that our customers are aware of what we are doing and what we suggest they do to protect their identity. We are committed to ensuring that our customers have the support they need to monitor their credit and know how to respond should they identify any problems," added Kessinger.

Last week, the Japanese arm of investment firm UBS apologised for losing a hard disk that contained confidential data of 15,500 customers.

Continuity Forum Comment

There can’t be many people who haven’t had something ‘lost in transit’, but the experience of Citigroup shows that while mistakes can and will happen. The nature of today’s world means and the desire of media to report new stories means that within a few hours even a relatively minor problem will be seen by potentially tens of millions of people and you can be sure it will affect the way many view the organisation.

In most respects this simple process failure is a day to day occurrence, something lost or stolen, but carrying sensitive information, becomes a story reported widely and needing a measured response form the organisation affected. The clear statement and explanation from Citigroup shows to Customers that there is little on-going Risk to them and that the already strict procedures in place further reduces the Risk to clients.

Another detail that it is important to learn from is the issues was not created directly by Citigroup, rather it was a supplier of core services that was responsible for the loss despite the ‘added measures’ Citigroup had in place. This shows the importance of working with key partners in the Supply Chain to ensure on-going compliance withyour special procedures and to avoid supplier complacency creeping in. Failure to ensure that your policies and procedures are being adhered to can quickly undermine even the best plans and procedures and result in incidents like this or indeed far far worse problems.

Forum Statistic

  •  Fewer than 20% of Global 2000 companies work with their Key Supply Chain Partners to embed BCM and even fewer (7%) regularly include partners in Exercises and Rehearsals despite the knowledge of the risks.

    Ends
    _________________________________

    If you have any comments on this article or would like to find out more about the work of the Continuity Forum please contact Sara McKenna or Russell at the Continuity Forum directly on 020 8993 1599 or [email protected]