Monday, June 30, 2008

Citi - So Bold

I have been a customer of Citibank's for almost 20 years. In that time, Citi has gone through a few CEOs and most recently appointed Vikram Pandit to lead the company.

Last month I received the following email from Vik:



By this mindless waste of time, customer SPAM delivered under the name of the CEO, Citi is my latest Company Acting Badly:
  1. Vik wants me to "be among the first to know" of the new things Citi is doing. Do I feel special? No. Any friend I have who banks online with Citi received the same email.

  2. Vik wants me to know of "the bold steps ... at Citi". Were there any of these bold steps in his email? No. Have I received another email, letter or call from Citi in almost 50 days of these bold steps? No. Do these bold steps exist?

  3. His commitment is "create an experience in which services are seemless". Since Vik sent this via email, how about he starts with Citibank online. Why do I have a different experience if I log into Citibank.com and Citicards.com?
How can a company as large as Citi set up customer expectations for some Bold new steps and not deliver? Did Mr. Pandit even read the email that went out under his name or did some lawyer water it down to be utterly meaningless?

Since Citi named Vikram Pandit as its CEO on December 10th, the stock has fallen some 51% from $34.77 to $16.76 as of June 30th. You can see the stock chart here.

Updated 11/14/08: here

Sunday, June 22, 2008

BNY Mellon - The Spark

Yesterday, June 21st, 2008, I received this letter from BNY Mellon. It is the latest reason and spark for starting this blog.



In short BNY (formerly Bank of New York) acts as a supplier of services to JPMorganChase (my former employer). BNY lost a storage tape in transit with my employee information including my Social Security Number (SSN). Sound familiar? Were they working with IBM?

BNY is notifying me of the loss, apologizing and offering me some identity protection services. Sound reasonable?

It's not. Here's the stupidity behind BNY's lawyer crafted letter.
  1. BNY found out about their loss of my identity information on Feb 27, 2008. Their letter notifying me arrived on June 21, 2008. That's a full 115 days or almost four months. No amount of internal hand wringing at BNY Mellon or Marketing/Legal spin can explain why a company would wait 4 months to notify someone of this loss. This demonstrated lack of concern for their customers ensures that I will never knowingly do business with BNY Mellon.

  2. BNY's meaningless statement of "while we have no reason to believe your information has been or will be accessed or misused" raises a lot of questions. How do they know the intent of whomever now has the tape? Does BNY know who has it? How can they predict the future on what will happen to my identity information that they lost? How does BNY know that if in the past 115 days a credit card was taken out under my name that it was truly me? They don't. The statement is meaningless and meant to make me feel better when it only raises concerns on what BNY knows and doesn't know.

  3. BNY is giving me 90 days to activate the identity protection service they recommend. That's nice - you take 115 days to notify me but I only have 90 days to activate. Shouldn't my time to decide on whether to use your service be as long as your time to decide to notify me?

  4. BNY didn't encrypt their data. Simple stupidity that should result in the firing of their CIO. Sensitive data that is moving outside of a company's data center (in this case on a backup tape) should be encrypted so it would be of no value if it fell into the wrong person's hands. This is not rocket science but may be at BNY Mellon.

  5. BNY Mellon is downplaying the loss. Their statement of "could not account for one of several boxes of backup tapes" while accurate is not forthcoming. Did they think I wouldn't Google: BNY Mellon data loss and find out that this story was covered in the press and that BNY Mellon had lost 6 - 10 tapes in that box covering 4.5 Million customers with their SSNs? Click here for the Google search.

  6. BNY says in a note at the bottom that theft insurance doesn't apply in NY state. They blame it on a regulation and have no other option for New York state customers. That's the former Bank of New York telling customers of the former Chase Manhattan Bank that their protection doesn't apply in New York. Good thing I live in CT.
It turns out that this loss was widely reported in the press for BNY Mellon customers of other banks (not JPMorganChase). You can read an article on this Company Acting Badly at Reuters.

Is this stupidity by BNY Mellon a one time event? Read another article at Pittsburgh Tribune-Review and see.

It also appears that BNY Mellon has been extending it's identity monitoring service from 12 months to 24 months. If BNY really has no concern about what will happen to my identity info then why would they be adding more monitoring time? Click here to see where they extended the time for 1400 brokers at SAIC who's data was on one of those tapes.

SAIC put significant effort behind crafting a FAQ for its brokers that makes the comparison to BNY Mellon telling for a Company Acting Badly. See SAIC's FAQ here. They go so far as to recommend that individuals consider changing bank accounts used with BNY Mellon.

Redux - IBM & Intuit

The last two companies to lose my personal information were IBM and Intuit.

Intuit lost a laptop that contained my personal information and credit card used to purchase Turbo Tax at their website. Why Intuit would allow employees to download such sensitive information to a laptop is questionable. What's not questionable is that I no longer buy Turbo Tax from Intuit's site but buy it instead (cheaper) at BJ's.

IBM lost a data file with my employee information including my social security number (SSN). Why can't a multi billion dollar company with over 300,000 employees and a massive security team figure out how to encrypt data that went on a storage tape? Or did they just not care. I no longer work at IBM - hopefully they are more vigilant about former employee information than they were about active employees.

Welcome

I've been thinking about creating this blog for a while and finally got pushed over the limit by another company (that's three in three years) that has lost my personal information including my Social Security Number.

This blog will detail those dumb things that companies do that affect me in my life. Hopefully you will find this of interest, share a comment and not have to experience any of the same stupidity.