After a brief lull in news involving data breaches, CitiFinancial, a consumer lending branch of Citigroup, New York, said June 6 that it has begun notifying 3.9 million of its U.S. branch network customers that computer tapes containing personal information were lost on the way to a credit bureau.
Also June 6, Ohio Attorney General Jim Petro filed a complaint against shoe retailer DSW Inc. as a result of the firm's handling of a data breach that it first announced in March. The suit in the Court of Common Pleas in Franklin County, OH, alleges that DSW violated the state's Consumer Sales Practices Act through an unfair and deceptive act by failing to notify every consumer that had his or her data stolen.
Though not necessarily in reaction to these developments, the Senate Committee on Commerce, Science & Transportation plans a hearing on identity theft June 16. The witness list includes Federal Trade Commission chairman Deborah Platt Majoras as well as four FTC commissioners and William Sorrell, Vermont attorney general and president of the National Association of Attorneys General.
The data lost in the CitiFinancial breach involved current U.S. CitiFinancial branch network customers and information on closed accounts from CitiFinancial Retail Services but included no data from CitiFinancial Auto, CitiFinancial Mortgage or any other Citigroup business, the firm said. Personal information on the tapes included names, Social Security numbers, account numbers and payment histories.
The firm said United Parcel Service was transporting the tapes at the time of their disappearance but that there was no evidence of accounts having been accessed as a result.
The letter CitiFinancial sent to consumers said, “You should know that there is little risk of your account being compromised because you have already received your loan. No additional credit may be obtained from CitiFinancial without your approval, either by initiating a new application or by providing positive proof of identification.”
CitiFinancial wrote that it is offering all affected consumers free credit monitoring and enrollment in its Citi Identity Theft Solutions program.
The firm also said it would halt its practice of shipping consumer data on tapes, opting to begin sending encrypted data electronically as of July.
The complaint against DSW stemmed from consumer data breaches that came to light earlier this year. DSW Shoe Warehouse parent Retail Ventures Inc. said March 8 that DSW suffered a data theft affecting 103 of its 175 U.S. stores. Though the number of consumers affected was not made public, reports cited Secret Service sources that put it around 100,000. Stolen data included credit card information and purchase data.
On April 18, Retail Ventures, Columbus, OH, issued a statement based on an investigation of the breach saying 1.4 million credit card transactions and 96,000 check payments were discovered across 108 DSW stores. Security firm Ubizen conducted the investigation, though law enforcement continues to investigate as well. A list of affected retail stores and more information for consumers are at www.dswshoe.com.
Information obtained from the credit card transactions included names, credit or debit card numbers and purchase amounts. The check transaction thefts divulged checking account numbers and driver's license numbers only. Retail Ventures said the stolen data did not include Social Security numbers, debit card personal identification numbers or addresses, and no Internet or loyalty program data were accessed.
The bulk of the affected transactions occurred from mid-November 2004 to mid-February 2005, Retail Ventures said. Stolen credit card numbers have been provided by the firm to American Express, Discover, Visa and MasterCard, which alerted the issuing banks. DSW is sending letters to the roughly half of the cardholders for whom it was able to obtain contact information. It also identified about 88 percent of the check customers and is notifying them as well.
The Ohio attorney general's filing asks the court to rule DSW's failure to notify all affected consumers a violation of state law and to order the firm to do so in writing.
Petro began asking that DSW notify all affected consumers in March after the breach was made public. He reiterated this request in April when the volume of stolen data was revealed. In a press release issued the day of the court filing Petro said, “As we have said repeatedly we see no reason why DSW, working with credit card companies and the underlying issuing banks, cannot arrange for direct notification of every affected consumer.”
DSW made a June 7 filing with the Securities and Exchange Commission that, among other things, set its pending initial public offering at 14.06 million shares of Class A common stock at a price of about $16 per share. DSW said in the filing, “We intend to use the net proceeds of this offering to repay $190 million of intercompany indebtedness owed to Retail Ventures and for working capital and other general corporate purposes. The intercompany indebtedness was incurred to fund dividends to Retail Ventures.”
The SEC filing also estimated the potential loss to Retail Ventures from the data theft as of April 30 to be $6.5 million to $9.5 million. It went on to say, “We do not yet know what effect this incident may have on our customers' perception of us. Since the announcement of the theft, we have not discerned any negative effect on comparable store sales trends after accounting for the shifting Easter holiday. However, given the short time period involved, these recent trends may not be indicative of the long-term effects of the incident.”
High-profile data breaches began coming to light this year when data provider ChoicePoint notified 35,000 California consumers that their information may have been accessed in late January as required by state law. On Feb. 16, it said another 110,000 letters would be sent nationwide involving the fraud.
Similar to the CitiFinancial situation, Bank of America confirmed Feb. 25 that some of its computer data tapes containing personal and account information for 1.2 million federal government charge card program customers were lost during shipment to a backup data center.
LexisNexis on March 9 said personal information of 32,000 consumers had been accessed through misappropriation of legitimate customer identifications and passwords from its Seisint database. After an internal investigation, it said April 12 that another 280,000 consumers were at risk.
Many congressional hearings as well as state and federal data privacy and identity theft bills have resulted from the breaches.
Kristen Bremner covers list news, insert media, privacy and fundraising for DM News and DMNews.com. To keep up with the latest developments in these areas, subscribe to our daily and weekly e-mail newsletters by visiting www.dmnews.com/newsletters
