While the online perils to consumers' private financial information have been well documented, it appears that the physical world isn't 100% safe, either. On June 6, Citigroup (C) said a box of computer tapes with personal information on 3.9 million customers of its lending unit was lost by United Parcel Service (UPS) while in transit to a credit-reporting agency in Texas. Information that was included in the tapes included Social Security numbers and account information for current and some past U.S. customers.
The incident wasn't the first of its kind, but it's perhaps the largest of the latest breaches in the security of customer data. Consumers can't keep track of every brown van that might be bearing their essential data. But just what can they do to ensure the safety and integrity of their most sensitive financial information?
BusinessWeek Online reporter June Kim recently spoke with Steven Weisman, attorney and author of 50 Ways to Protect Your Identity and Your Credit, about the Citi/UPS snafu and what it could mean for the customers affected. They also discussed the dangers of identity theft -- and how consumers can protect themselves. Edited excerpts from their conversation follow:
Q: In a letter to its customers, Citigroup says there's little risk. Is this true?
A: No, it's not true. They're just trying to put a positive spin. The information contained names, addresses, and Social Security numbers on 3.9 million customers. And those three things are ample for an identity thief to access accounts or create new credit in their names and disrupt the victims' credit.
While Citigroup says they have plans to start encrypting the data and sending it electronically in July, instead of [using] computer tapes, this doesn't help these victims now. This information was going to the credit-reporting bureaus, which is a very legitimate place for it to go. But it just points out that there's so much access to personal information on people in so many places, the more places that have your information, the greater danger you're in.
Q: What can criminals do with the information that was stolen?
A:The Social Security number is the key thing. With that, you can get a credit card, you can open up a line of credit, perhaps even get access to someone's assets. There have been instances where people have used that information to take out a mortgage or sell their home.
They can get access to bank accounts or brokerage accounts. They can open up new lines of credit and run those up. They can also commit crimes in the name of the victim, and that can create the problem of the innocent person who suddenly finds out they have a criminal record as a drug dealer.
The havoc that's created can be long-standing, coming back months or years later. Our credit is key for our financial livelihood because it can affect whether you get a job, insurance, or a mortgage. If you have problems with your credit score or credit report, it can be very difficult to fix.
Q: What can you do to prevent someone from stealing your identity?
A:What we can do are things to protect ourselves from not being a part of the problem.
For instance, check your credit report at least annually. You can get free copies of your credit report from each of the three major credit-reporting agencies -- Experian, TransUnion, and Equifax -- at no cost in all states under federal law. Go their Web sites -- or the FTC also has one form you can do online which will contact all three agencies online.
Even if you're not a victim of identity theft, there are a lot of mistakes that occur on people's credit reports. Mistakes will understandably occur because there's so much information on hundreds of millions of Americans, but those mistakes will affect your credit, and your credit can affect your credit score.
Q: Besides starting an annual habit of checking your credit report, what routine things can you do to protect your identity?
A:Your Social Security number is a key to identity theft, so you want to be protective of it and only use it for identification.
Shred documents you have that you don't need -- old bank statements, old checks, old tax returns. Cross-shred them if you can because there seems to be a connection between identity theft and methamphetamine addicts who will stay up and spend long hours actually piecing together shredded material.
Get yourself off preapproved credit-card lists. People often throw these credit-card solicitations in the trash. A lot of identity theft isn't really high-tech: It comes from people dumpster diving. You can get yourself off the preapproved credit card mailing lists of the three major credit-report bureaus by calling the Opt Out Request Line (1-888-567-8688).
Limit the places that have personal information on you. The more places that have your information, the more you're at risk for someone else's lax security. Under the Gramm-Leach-Bliley Act, consumers can opt out of sharing information within large financial institutions.
When the federal act was passed several years ago, consumers had to affirmatively say that they didn't want their information shared. The forms were confusing and looked like junk mail, so many people threw them out. But you can write an opt-out letter requesting that your personal information be kept with the single company rather shared with affiliated companies.
Finally, if you're at a computer, you should have antispyware and firewall programs and be careful with whom you're dealing with via e-mail. The big dangers have come in when people have opened attachments from people they don't know. In past cases of security data breaches and identity theft, e-mails have included spyware key-stroke logging programs that record computer users' activities, including any usernames and passwords.
Q: Security breaches on personal data could happen to any company -- LexisNexis and Choicepoint (CPS) are two recent examples. Do you know what corporations are doing to prevent this?
A: There's a lot companies could and should be doing. One of the first things is: All personal data should be encrypted at all levels. But companies are slow to take the time and spend the money to do so. This is something companies absolutely should be doing -- it would make it so much more difficult for identity thieves to use this information.
Companies need to have stronger internal controls regarding data access. A lot of the problems have been from rogue employees getting this information and using it or selling it. There should be logging systems to see who's accessing information, and there should be better control over who has access to information. Just these simple couple of steps would help a great deal.
We need greater responsibility from corporations. If there's a security breach, affected customers should be notified, and it should be up to the individual consumer to decide how seriously they would like to treat it.
Instead [businesses often try] to cover up their own lax security. When Choicepoint was breached, there were 145,000 people affected. But they only notified their California customers, where they were required to by law. They eventually notified everyone else later, but here was a bad combination of lax security and then trying to cover it up.