Jaime Levy Pessin at Dow Jones Newswires reported today that Citigroup's ABN Amro Mortgage Group allowed a data breach that released the names, Social Security numbers and mortgage information of thousands of people. As Permit/Deny hits the wire, Citigroup public affairs had no comment on the story.
According to Pessin's story, confirmed by Tiversa, the information was leaked by an employee of Citigroup's ABN Amro Mortgage Group unit onto the peer-to-peer file-sharing network LimeWire. I have a lab machine searching for the documents now even though the data was supposedly removed on Thursday, Sept. 20. By their nature, peer-to-peer networks make data out in the wild almost impossible to control.
The problem could have been addressed by data control products I've reviewed and blogged about, including Vontu.
As I've said before, the cash register at the local mom-and-pop store has more physical security than laptops and handheld devices that carry hundreds of thousands or millions of dollars' worth of liability. It may be that handhelds and laptops carrying large amounts of protected data are unsafe at any speed. The only thing really protecting companies from an all-out consumer rebellion is that the data seems not to have been the target of the loss (in the case of ABN Amro Mortgage Group at Citigroup) or theft, as was the case when I gave the Veterans Administration a "Stupid Technology Trick Award" in 2006. Then I wrote:
"The FBI determined that the thefts were motivated by a desire to steal the laptop and external hard drive, and not the data the devices contained. While that's nice to know, the question remains: Why was the personal data of 26 million-plus people allowed to be carried home by a VA employee?"
Gordon Rapkin at Protegrity, an international data security company, told me in relation to the Citigroup breach that companies must create a culture that engenders vigilance around protecting customer data. Amen, because on a much smaller scale, but still startling nonetheless, was what I observed at a convention last week.
The casual and often unintentional misuse of personal data isn't limited to what is downloaded onto people's laptops. At the Salesforce.com Dreamforce "global gathering" in San Francisco, I was able to get the name and telephone number of an elementary school student at the Bronx Lab School, the name and phone number of a Salesforce.com employee, and I'm pretty sure the password--"wizard"--for a demo site used to show upcoming features under development at Salesforce. This information wasn't in a private briefing. This was available on the big screen for all to see. The student data was shown to a group of at least 5,000 during Marc Benioff's keynote address on Monday, Sept. 17, in the Moscone Convention Center.
I hate to think that companies will only take seriously the issue of data privacy and security as the result of legislation and regulation. However, while Citigroup was tight-lipped with a "no comment" for this blog, the names, SSNs and mortgage details of more than 5,000 of its customers are reported to be practically prancing around the Internet. In the end, the business and IT managers who control the data that makes business work so well must find ways to become more responsible stewards of the slippery bits and bytes in their possession.