Citibank Exposed Social Security Numbers on Printed Envelopes to Customers
So today I get a letter from Citibank to inform me of the following:
…due to a processing error the nine digits in your social security number, along with a string of other numbers and letters all resembling a mail routing number, were printed on the lower edge of an envelope containing a year-end tax statement that we mailed to you recently
Here’s the letter
The letter goes on to state they don’t believe there is a risk to me but wanted to bring it to my attention along with an apology and let me know the issue has been corrected. They go on to offer me a 180 day free service to monitor my credit if I am still concerned about their error. They go on to apologize again at the end for any inconvenience it may have caused me.
So my first question is how the hell did customer social security numbers get exposed to the system that prints envelopes? Do they have a mail merge system that has access to unencrypted social security numbers? For me the underlying question is how this error could have occurred in the first place. How are customer social security numbers stored and accessed? I want to know the details behind these questions, how this hapenned, and what are they doing to correct it. This error gives me zero confidence in Citibank’s ability to protect my social security number and any other private data and feel they need to address all of these concerns to their customers.
The fact that they are dismissing this as a simple error without any explanation to how it occurred or steps they are taking to stop it from happening again is shameful in today’s climate. I have little respect for how they are handling this and a huge lack of confidence in them due to this incident as well. What I found even stranger is that I tried to search for any mentions of this incident on the web and the only thing I could find were 2 other people that sent out Tweets regarding it. I have no idea how many people were affected by this as a result.
The account type I have with Citibank that this occurred on is a loan so I don’t even have the ability to easily leave them as a customer as a result. I really hope this gains more attention so that Citibank is pressured to divulge more details regarding this and be public about measures they’re putting in place to avoid it happening again in the future.
UPDATE 2/25 5PM:
I was contacted by a person on the Citibank “Social Media” team who heard about my issue and called to assist me with any questions or concerns that I had. She stated that a 3rd party was NOT contracted for the mailing as I was originally told by another Citi employee and that it was sent directly from Citi. She also stated that they’ve identified the issue that caused the error and have corrected it.
Shortly after her call I was contacted by CBS Radio News who heard about my post. I gave them an interview and the story has since run nationally. I heard it along with a short sound-bite from my interview. I’ve watched the power of social media happen so often lately but this is has been a very interesting experience to watch it unfold happening to me firsthand.