When CitiFinancial, the Baltimore-based consumer-finance division of Citigroup Inc., put a box of computer tapes that documented the financial habits of its customers on a UPS truck in Weehawken, N.J., last month, the shipment represented one routine step in the nation's sprawling credit system.
Thousands of companies regularly ship or electronically transfer personal information to three credit reporting agencies, and CitiFinancial's box was bound for a data processing center in Allen, Texas. The process allows other banks and lenders to determine the credit-worthiness of an applicant for a mortgage or credit card.
"The Social Security number is the key to unlock your finances," said Beth Givens, director of the Privacy Rights Clearinghouse, an advocacy group based in San Diego. "If someone has that, they can impersonate you and obtain credit in your name."
The case of the missing box is the latest in a rash of data-security breaches that have prompted companies to improve safeguards and try to make amends with customers. And it has stoked a debate in Congress over when companies must go public with such incidents, which can lead to identity theft or financial fraud.
Almost 60 breaches of personal financial information involving 13.5 million individuals who could potentially be affected have been reported this year, according to the Identity Theft Resource Center. It's the first year the center has kept the statistics, partly because companies rarely disclosed problems before a 2003 California law required them to tell customers in the state if their information has been compromised.
Companies operating nationwide have acknowledged similar incidents since then. Atlanta-based ChoicePoint Inc., which admitted in February that it accidentally sold data on 145,000 consumers to identity thieves, first told only California residents who were at risk. But it informed residents elsewhere when state attorneys general demanded equal treatment.
Among those recently reporting breaches are Wachovia Corp. and Bank of America Corp., which notified more than 100,000 customers that their financial records might have been stolen by bank employees and sold to collection agencies. Also, Ameritrade Holding Corp. informed 200,000 current and former customers that a backup computer tape with personal information had been lost.
Other cases have involved employee data.
Time Warner Inc. said backup tapes with Social Security numbers and other information on current and former employees dating to 1986 went missing en route to Iron Mountain Inc., a data storage firm. The tapes also had some data on beneficiaries and dependents, and was used as part of retirement and other benefit programs. Time Warner hasn't been able to determine if the tapes were lost or stolen, spokeswoman Kathy McKiernan said.
About half of the data-security failures this year have involved universities, including Boston College and the University of California at Berkeley, as well as local school districts.
Congress is considering a national data-theft notification law, which is being pushed by privacy advocates, who say that companies can still choose to keep a breach under wraps.
"We are depending on companies to be good corporate citizens, and yes, they can hide a breach," said Linda Foley, co-executive director of the Identity Theft Resource Center. "Consumers are not willing today to blindly give trust any longer."
While breaches may not involve criminal activity, companies are warning customers to head off identity theft. About 9.3 million people were the victims of identity theft in the United States last year, costing more than $52 billion, according to a study released in January by the Better Business Bureau and Javelin Strategy and Research. Low-tech methods of thievery remain the norm, such as stealing wallets and "dumpster diving," or rifling someone's trash, the report said.
CitiFinancial, which has 32 branches in Maryland, has begun sending letters to customers informing them of the missing data. It is urging consumers to watch for suspicious activity on their accounts as well as on their credit reports, which would include all financial transactions undertaken in their name. A spokesman reiterated yesterday that the company has no reason to believe that a crime has been committed.
UPS spokesman Robert S. Godlewski said, "We haven't given up hope that we'll find the package." He said UPS is exploring several possibilities, including that the shipping label peeled off, or that the box fell apart and its contents spilled.
Many companies, including CitiFinancial, Wachovia, Time Warner and ChoicePoint have offered to pay for customers to access their credit reports for up to a year, as security experts say identity thieves often wait for months before using stolen information. A new federal law will entitle consumers to one free credit report a year, an option that has been available to Marylanders for years.
Many companies say they have bolstered their computer technology and other security measures. Experian, a credit-reporting agency, has undertaken a project to encourage companies to switch from sending tapes in bulk through the mail to sending the information electronically and in encrypted form.
Citigroup is one of the firms that has signed up, but the missing tapes weren't protected with encryption because CitiFinancial won't come online until July. Such tapes can only be accessed with specialized computer equipment.
"The data industry and financial institutions really have been inspired to shore up their security procedures," said Jordana Beebe of the Privacy Rights Clearinghouse. "The last thing they want to do is to send out a notice saying there has been a data security breach."