News
News
6/7/2005
12:33 PM
Connect Directly
RSS
E-Mail
50%
50%

Citigroup's Lost Tapes Cast Spotlight On Data Security

Banks are considering a variety of measures to tighten the security for customer information.

This week's disclosure by Citigroup that a box of tapes containing information on 3.9 million customers was lost in transit has again pointed out the chain of vulnerabilities that banks need to strengthen to guarantee the security of customer data.

The tapes contained Social Security numbers, names, account numbers, and payment histories on customers of CitiFinancial, which provides personal, auto, and home-equity loans. The tapes also contained information on customers with closed accounts from CitiFinancial Retail Services, which provides private-label credit cards for retailers.

The tapes were picked up from a Citigroup data center by UPS Inc. on May 2, bound for a data center in Texas operated by Experian, a credit bureau. Citigroup was notified by Experian on May 20 that the box hadn't arrived; three days later it confirmed that the box was missing, whereupon it notified the Secret Service. UPS hasn't recovered the box, but says there's no indication it was stolen. The tapes were unencrypted; starting next month, the bank will begin sending the data electronically in encrypted form. The decision to do so was made prior to this week's disclosure, a spokesman says.

Banks, like all corporations handling customer data, are under intense pressure to revamp their data-protection policies. Following California's lead, eight states (Arkansas, Florida, Georgia, Indiana, Illinois, Montana, North Dakota, and Washington) as well as New York City have passed notification laws regarding information-security breaches. The patchwork of state laws is driving up compliance costs for companies, says Chris Wolf, partner and head of the privacy and data-security practice at law firm Proskauer Rose LLP. Federal laws now working their way through Congress would pre-empt many of the state laws, easing the compliance burden, he says.

Banks have set a high priority on initiatives related to data security. Banks in the United States will spend $1.6 billion on IT security this year, making up 4.1% of total IT spending, according to research firm Celent Communications. Among the top security budget items are combating insider fraud, achieving compliance, two-factor authentication, awareness and education, and anti-spyware and other tools for preventing malicious attacks.

In light of the disclosures by Citigroup and Bank of America, which reported in February that tapes containing information on 1.2 million customers were lost in transit, banks are likely to accelerate adoption of methods for better securing customer data, such as encrypting all data, tightening physical security, and installing perimeter defenses such as firewalls and intrusion-detection systems.

Still, despite the public brouhaha over customer data protection, it may take banks a while to implement all these changes. "We're looking at a redefinition of processes," says Celent analyst Jacob Jegher. "Big banks have a lot of technology and processes, which take time to change." The practice of externally shipping tapes off-site is still quite common and is unlikely to disappear, he says.

Comment  | 
Print  | 
More Insights
IT's Reputation: What the Data Says
IT's Reputation: What the Data Says
InformationWeek's IT Perception Survey seeks to quantify how IT thinks it's doing versus how the business really views IT's performance in delivering services - and, more important, powering innovation. Our results suggest IT leaders should worry less about whether they're getting enough resources and more about the relationships they have with business unit peers.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Must Reads Oct. 21, 2014
InformationWeek's new Must Reads is a compendium of our best recent coverage of digital strategy. Learn why you should learn to embrace DevOps, how to avoid roadblocks for digital projects, what the five steps to API management are, and more.
Video
Slideshows
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
A roundup of the top stories and trends on InformationWeek.com
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.