Citibank Exposed Social Security Numbers on Printed Envelopes to Customers

So today I get a letter from Citibank to inform me of the following:

…due to a processing error the nine digits in your social security number, along with a string of other numbers and letters all resembling a mail routing number, were printed on the lower edge of an envelope containing a year-end tax statement that we mailed to you recently

Here’s the letter

citibank_letter
click to enlarge

The letter goes on to state they don’t believe there is a risk to me but wanted to bring it to my attention along with an apology and let me know the issue has been corrected. They go on to offer me a 180 day free service to monitor my credit if I am still concerned about their error. They go on to apologize again at the end for any inconvenience it may have caused me.

So my first question is how the hell did customer social security numbers get exposed to the system that prints envelopes? Do they have a mail merge system that has access to unencrypted social security numbers? For me the underlying question is how this error could have occurred in the first place. How are customer social security numbers stored and accessed? I want to know the details behind these questions, how this hapenned, and what are they doing to correct it. This error gives me zero confidence in Citibank’s ability to protect my social security number and any other private data and feel they need to address all of these concerns to their customers.

The fact that they are dismissing this as a simple error without any explanation to how it occurred or steps they are taking to stop it from happening again is shameful in today’s climate. I have little respect for how they are handling this and a huge lack of confidence in them due to this incident as well. What I found even stranger is that I tried to search for any mentions of this incident on the web and the only thing I could find were 2 other people that sent out Tweets regarding it. I have no idea how many people were affected by this as a result.

The account type I have with Citibank that this occurred on is a  loan so I don’t even have the ability to easily leave them as a customer as a result. I really hope this gains more attention so that Citibank is pressured to divulge more details regarding this and be public about measures they’re putting in place to avoid it happening again in the future.

UPDATE 2/25 5PM:

cbsradionewsI was contacted by a person on the Citibank “Social Media” team who heard about my issue and called to assist me with any questions or concerns that I had. She stated that a 3rd party was NOT contracted for the mailing as I was originally told by another Citi employee and that it was sent directly from Citi. She also stated that they’ve identified the issue that caused the error and have corrected it.

Shortly after her call I was contacted by CBS Radio News who heard about my post. I gave them an interview and the story has since run nationally. I heard it along with a short sound-bite from my interview. I’ve watched the power of social media happen so often lately but this is has been a very interesting experience to watch it unfold happening to me firsthand.

40 thoughts on “Citibank Exposed Social Security Numbers on Printed Envelopes to Customers”

  1. I also received the letter. My concern was that they give you a phone number to call. They request your redemption code, address and social security number to enroll in the monitoring system. How do I know this letter is from Citibank? How do I know the number that they asked me to call is not a scam number? The number they give me to call to verify could be part of the same scam. The letter did not reference my acct. number or appear on company letterhead! It could have been sent by anyone.

    1. Patty, once I read your comment I too started to question the validity of the letter and called Citibank directly to get details. They confirmed it was real and told me they had contracted a 3rd party to send out the letters which is why they don't look official. I agree with your points and it further shows how Citibank is doing a very poor job dealing with this matter.

      1. I also received the same letter – after my initial shock and awe… i started thinking… what if it's not a third party monitoring service… what if it's citi themselves trying to hook you after the initial 180 days… This is the most un-official communication that is riddled with questions and additional potential hazards! What to do!

  2. I also received the letter. My concern was that they give you a phone number to call. They request your redemption code, address and social security number to enroll in the monitoring system. How do I know this letter is from Citibank? How do I know the number that they asked me to call is not a scam number? The number they give me to call to verify could be part of the same scam. The letter did not reference my acct. number or appear on company letterhead! It could have been sent by anyone.

    1. Patty, once I read your comment I too started to question the validity of the letter and called Citibank directly to get details. They confirmed it was real and told me they had contracted a 3rd party to send out the letters which is why they don't look official. I agree with your points and it further shows how Citibank is doing a very poor job dealing with this matter.

      1. I also received the same letter – after my initial shock and awe… i started thinking… what if it's not a third party monitoring service… what if it's citi themselves trying to hook you after the initial 180 days… This is the most un-official communication that is riddled with questions and additional potential hazards! What to do!

  3. I also got this letter today. I am very concerned with the lack of consumer privacy with these banks. I was also one if the customers who's info was "tapped into" by fraudulent activity in the Country wide customer breaches. Where will this end? It seems so all customers are exposed at some time and these are just the times we are finding out about it. I have zero confidence in any bank protecting my identity at this point.

  4. I also got this letter today. I am very concerned with the lack of consumer privacy with these banks. I was also one if the customers who's info was "tapped into" by fraudulent activity in the Country wide customer breaches. Where will this end? It seems so all customers are exposed at some time and these are just the times we are finding out about it. I have zero confidence in any bank protecting my identity at this point.

  5. Mary Ann in Hawaii

    I got one in the mail today too. Went to the website to get the free credit monitoring, but I think they ask for too much info. If I use the redemption code, that should be tied to my account. I shouldn't have to enter all my personal info. Something just does smell right.

  6. Mary Ann in Hawaii

    I got one in the mail today too. Went to the website to get the free credit monitoring, but I think they ask for too much info. If I use the redemption code, that should be tied to my account. I shouldn't have to enter all my personal info. Something just does smell right.

  7. Here's something else to ponder…When I called to redeem my "free" credit monitoring service, and the person asked for my SS, I asked for them to verify who they were. Amazingly, they could only read a statement and ask me to believe them! I did follow up with a call to Citi and the Supervisor there was extremely understanding and professional. I will call a Cti number NOT listed on the mailer, and see where it goes. This could certainly be handled better, (ie., mailer on legit Cit letterhead) but doesn't really feel like scam-hopefully Citi will learn and improve.

  8. Here's something else to ponder…When I called to redeem my "free" credit monitoring service, and the person asked for my SS, I asked for them to verify who they were. Amazingly, they could only read a statement and ask me to believe them! I did follow up with a call to Citi and the Supervisor there was extremely understanding and professional. I will call a Cti number NOT listed on the mailer, and see where it goes. This could certainly be handled better, (ie., mailer on legit Cit letterhead) but doesn't really feel like scam-hopefully Citi will learn and improve.

  9. I got the letter too. It really might be riskier to sign up for this service now. Zero confidence in Citibank… I am sending an email to my senator to see if someone puts some pressure on them.

  10. I got the letter too. It really might be riskier to sign up for this service now. Zero confidence in Citibank… I am sending an email to my senator to see if someone puts some pressure on them.

  11. i called CitiBank on a different issue. Once that was resolved, I asked about the letter and the SS# exposure. It appears real since the CitiBank person transferred me to another Citi person. As there is a real concern, call 1-800-452-2541 and speak to real person at Identity Guard. CitiBank really messed up on this one……. sad

  12. i called CitiBank on a different issue. Once that was resolved, I asked about the letter and the SS# exposure. It appears real since the CitiBank person transferred me to another Citi person. As there is a real concern, call 1-800-452-2541 and speak to real person at Identity Guard. CitiBank really messed up on this one……. sad

  13. We also received this letter and had the same initial fear about the credit monitoring service. I also feel that it is "fishy" that one of the first questions they ask when signing up for the free service is for your social security number. This could be the actual scam…So what is everyone doing? Is it still a better idea to sign up for it, or not?

    Way to go Citi.

  14. We also received this letter and had the same initial fear about the credit monitoring service. I also feel that it is "fishy" that one of the first questions they ask when signing up for the free service is for your social security number. This could be the actual scam…So what is everyone doing? Is it still a better idea to sign up for it, or not?

    Way to go Citi.

  15. I also received the same letter and too bad… I clearly notice SSN on the n=envelope…

  16. I also received the same letter and too bad… I clearly notice SSN on the n=envelope…

  17. Thats good… atleast some one should take the lead and sue the citi bank for this big error and playing with people's privacy…

    1. When I first read the letter, my first thought (s) were (a) If I were to take Citi up on the 180-day credit monitoring, would I be responsible for canceling the service? Sounds like a snow job to me.

      (b) Would I lose the ability to go after Citi if my ID is stolen or destroyed?

      I don't know about the other 599, 000 of you, but this is the kind of $@*% that keeps me up at night. Is there a lawyer in the house?

  18. Thats good… atleast some one should take the lead and sue the citi bank for this big error and playing with people's privacy…

    1. When I first read the letter, my first thought (s) were (a) If I were to take Citi up on the 180-day credit monitoring, would I be responsible for canceling the service? Sounds like a snow job to me.

      (b) Would I lose the ability to go after Citi if my ID is stolen or destroyed?

      I don't know about the other 599, 000 of you, but this is the kind of $@*% that keeps me up at night. Is there a lawyer in the house?

  19. I received the letter too. It's unconscionable what they did in today's world. They went on the cheap to try to "fix" this problem. That's assuming, of course, that the credit monitoring company is legit. Like many of you, I felt too insecure to just give my SSN based on a letter that may or may not be (but probably is) from Citibank. I'm with you, Mary Ann, that the redemption code should just bring up our info so they could monitor each of our personal credit. Again, they went the cheap way out. All said, however, I'm not sure what to do next except monitor my credit using one or more of the big named credit report companies. As egregious as Citi's mistake is, they should handle this more personally and securely. Regarding any potential suit, as a lawyer I believe there would be. Of course, the damages would be the main question. If you were not harmed financially, I'm not sure if it'd be worth your time and money to sue personally. Chances are, there's a plaintiff's lawyer out there getting a class action together as we write. But like Citi's response to their error, a class action is impersonal. But hey, maybe something will be done in due time. Something's better than nothing….and better than what we got.

  20. I received the letter too. It's unconscionable what they did in today's world. They went on the cheap to try to "fix" this problem. That's assuming, of course, that the credit monitoring company is legit. Like many of you, I felt too insecure to just give my SSN based on a letter that may or may not be (but probably is) from Citibank. I'm with you, Mary Ann, that the redemption code should just bring up our info so they could monitor each of our personal credit. Again, they went the cheap way out. All said, however, I'm not sure what to do next except monitor my credit using one or more of the big named credit report companies. As egregious as Citi's mistake is, they should handle this more personally and securely. Regarding any potential suit, as a lawyer I believe there would be. Of course, the damages would be the main question. If you were not harmed financially, I'm not sure if it'd be worth your time and money to sue personally. Chances are, there's a plaintiff's lawyer out there getting a class action together as we write. But like Citi's response to their error, a class action is impersonal. But hey, maybe something will be done in due time. Something's better than nothing….and better than what we got.

  21. I got this letter. I am not sure how good the service from the 3rd party credit monitoring company IdentityGuard. Why wont Citi provide their own identity monitoring product IDMonitor to all the affected customers – which is $12.99 per month? Is it cheaper with IdentityGurard who also provides a basic id protection service for $5 per year? I called Citi (to the number provided in the letter) to ask if they can provide their own product IDMonitor instead of another company’s product which i’m not comfortable with – the representative just said this is the 3rd party vendor they are dealing with, they have limited information to tell customers and will ask a supervisor to call me back with (as if that’s going to happen). The rep says i dont have to sign up if I dont feel comfortable with IdentityGuard – as if its a free gift they are giving and you dont have to claim if you dont like it.

  22. I got this letter. I am not sure how good the service from the 3rd party credit monitoring company IdentityGuard. Why wont Citi provide their own identity monitoring product IDMonitor to all the affected customers – which is $12.99 per month? Is it cheaper with IdentityGurard who also provides a basic id protection service for $5 per year? I called Citi (to the number provided in the letter) to ask if they can provide their own product IDMonitor instead of another company’s product which i’m not comfortable with – the representative just said this is the 3rd party vendor they are dealing with, they have limited information to tell customers and will ask a supervisor to call me back with (as if that’s going to happen). The rep says i dont have to sign up if I dont feel comfortable with IdentityGuard – as if its a free gift they are giving and you dont have to claim if you dont like it.

  23. I’m always looking for stuff about topics that I do not know about. It’s not an easy task to find things that you do not know about, because what do you look for? ;) Your blog is right up my alley regarding something new to me. Great post! Thank you.

  24. I’m always looking for stuff about topics that I do not know about. It’s not an easy task to find things that you do not know about, because what do you look for? ;) Your blog is right up my alley regarding something new to me. Great post! Thank you.

  25. Great entry, and thanks for taking the time to publish it; I’m sure otheres benefited also. It really opened my eyes for some new perspectives that I hadn’t thought of before.

  26. Great entry, and thanks for taking the time to publish it; I’m sure otheres benefited also. It really opened my eyes for some new perspectives that I hadn’t thought of before.

  27. Hello,this is Thanh Madras,just identified your Blog on google and i must say this blog is great.may I share some of the Post found in your web site to my local people?i’m not sure and what you think?anyway,Thanks!

  28. Hello,this is Thanh Madras,just identified your Blog on google and i must say this blog is great.may I share some of the Post found in your web site to my local people?i’m not sure and what you think?anyway,Thanks!

  29. A secured loan is a loan in which the borrower pledges some asset (e.g. a car or property) as collateral for the loan, which then becomes a secured debt owed to the creditor who gives the loan. The debt is thus secured against the collateral — in the event that the borrower defaults, the creditor takes possession of the asset used as collateral and may sell it to regain some or all of the amount originally lent to the borrower, for example, foreclosure of a home.

Comments are closed.

%d bloggers like this: