In a case that could serve as a warning to other banks that contribute customer data to public storehouses, Citigroup this week acknowledged that it failed to safeguard the personal information — Social Security numbers, birth dates and other sensitive data — of nearly 150,000 consumers who went into bankruptcy between 2007 and 2011.
The New York bank admitted that it didn't properly redact court records put on the government's legal document system, Pacer (Public Access to Court Electronic Records).
Citi settled with a division of the Justice Department, the U.S. Trustee Program, in a pact unsealed earlier this week in which it agreed to redact the customer information at its own expense; notify all the affected debtors and third parties; and offer a year of free credit monitoring.
The mix-up affected people in 85 separate jurisdictions, nationwide.
Citi discovered a problem with the way its software redacted customer data on bankruptcy proof of claim court filings for secured loans. "The redaction issues primarily resulted from a limitation in the technology Citi had used to redact personally identifiable information in the filings," the bank said in a statement. "As a result of this limitation in technology, personally identifiable information could be exposed and read if electronic versions of the court records were accessed and downloaded from the courts' online docket system and if the person downloading the information had the technical knowledge and software to restore the redacted information."
In addition, Citi discovered that some personally identifiable information in a somewhat smaller portion of filings was not entirely redacted by Citi. Approximately 146,000 court filings were affected by these issues.
According to the bank, when it discovered the redaction issues in April 2011, it immediately implemented new procedures to prevent their recurrence, including upgrading the relevant computer software and retraining employees on enhanced redaction policies and procedures.
"In addition, we immediately began working on a remediation plan to restrict electronic access to the relevant filings and substitute new court filings in which the personally identifiable information is permanently concealed," the bank said.
But at the time, the U.S. Trustee said, Citi failed to disclose the countrywide scope of the breach. The bank also did not propose a verifiable solution to the problem, according to a press release, or promise to make the issue public and notify customers.
In March 2012, U.S. Bankruptcy Court for the Southern District of New York approved Citi's settlement with the U.S. Trustee.
And, finally, early this month an independent auditor certified that Citi had notified customers of the privacy breach and made good on its promise of providing the credit monitoring.
That auditor, which was required by the U.S. Trustee, is also reviewing Citi's follow up to the mistake. Those investigators are expected to issue a certification of the work by the end of the year, according to the release.
In the meantime, Citi is vowing that it's put the issue behind it.
"We take the safeguarding of customer information very seriously," the bank said. "We are not aware of any instances in which personal information was accessed or downloaded and have no reason to believe that any personal information was misused."
The reason for the error could be a simple as a quality and control mistake, Ben Knieff, fraud, anti-money laundering and data privacy consultant in New York
"It depends on the source [of the issue], if some developers simply failed to include a masking statement in their SQL query, it's hardly an update," he says of the potential need for a technology upgrade. "And that seems entirely possible, and that's a bug you should catch." Though without knowing how Citi handles its redaction process and what software or technology it's using, it's impossible to say how the issue originated, he acknowledges.