Citi Habitats client information strewn across four city blocks
Technorati Tag: Security Breach
Date Reported:
1/27/09
Organization:
Citi Habitats
Contractor/Consultant/Branch:
None
Location:
New York, New York*
*465 Columbus Ave.
Victims:
Clients
Number Affected:
Unknown
Types of Data:
"bank statements, 401k statements, credit reports, tax returns and more driver's licenses than we could count"
Breach Description:
"Thousands of pages of bank statements, credit reports, tax returns and driver's licenses were discovered along Columbus Avenue afternoon yesterday, just waiting to be picked up by would-be identity thieves"
Reference URL:
WABC-TV Eyewitness News
Cityfile
Report Credit:
WABC-TV Eyewitness News
Response:
From the online sources cited above:
UPPER WEST SIDE (WABC) -- Eyewitness News made a stunning discovery on the streets of the Upper West Side Monday night. Scores of documents were found strewn on the street for anyone to pick up.
[Evan] No need to fear, the people who live in the Upper West Side are all good people, right? Nobody is going to take the stolen information and supplement their income. ;)
The paper trail stretched for blocks, billowing in the cold breeze on Columbus Avenue. It was not litter, but bits and pieces of people's lives.
There were copies of bank statements, 401k statements, credit reports, tax returns and more driver's licenses than we could count.
Elyssa Shapiro was on her way to work and couldn't believe what she was seeing.
"Just all kinds of information. Things that you never want anyone to know about yourself," she said.
"It was four blocks worth of personal information and it was identity theft waiting to happen."
The documents belonged to the local office of Citi Habitats, one of New York's best-known real estate firms.
[Evan] The documents belonged to Citi Habitats, but the information belongs to their clients. It is the responsibility of Citi Habitats to treat the information with respect and protect it. Affected clients should view this incident as disrespectful. As disrespectful as if a Citi Habitat employee spit on your face, but you can clean your face.
Their clients, whose personal information we found amid the trash, were appalled.
[Evan] The clients may be appalled, but what are the real consequences for Citi Habitats? Companies know that they are rarely held accountable for their actions and often escape with little or no consequence. Sad, but true.
"I feel kind of sick to be honest," former client Laura Dannen said.
Dannen used the firm to find an apartment in 2006. We found her name, phone number and annual income on a registration form.
"Just in the gutter? My life was in the gutter. That's nice," she said.
Paul Addessi is a doctor in Arizona. We found a portion of his 2006 tax return, listing his income and his social security number.
"They're getting the information, all this tax information, driver's license and everything, and they're not shredding the documents. They have a responsibility to shred the documents that they don't need," he said.
New York State law requires businesses to destroy or delete personal information before disposing of it.
[Evan] What happens to the average business that fails to abide by this law?
Citi Habitat's president released a statement that read, in part, "We believe that during a refurbishing of our 465 Columbus Avenue office, paper that should have been shredded was improperly placed as trash.
"We took immediate steps," he insisted, "to investigate and remediate this isolated incident, and are notifying those customers whose information may have been compromised."
[Evan] Unless Citi Habitats retrieved ALL of the documents (including those picked up by Eyewitness News), how will they be able to notify the affected customers? How do you remediate compromised information? You can't un-compromise it.
The firm did, in fact, send workers to clean up the mess. But we were still finding documents a block away a full eight hours after the clean up was over.
The documents that we saw appeared to pertain to real estate transactions that took place in 2006 and 2007.
The firm insists its policy is to destroy all documents that they no longer need, but they could not explain why that did not happen in this case.
[Evan] A policy don't mean squat if it isn't communicated and enforced. Too many policies are just pieces of paper that go unread.
Commentary:
These types of incidents happen all of the time. If you don't believe me, put on some dirty clothes and check out some of your local dumpsters. I was just called last week by a friend who told me that his mortgage company lost his mortgage application along with all of his supporting information. Lost could easily mean that it was simple thrown away, on accident.
What can you do?
We hope that companies will do the right thing, but too many aren't. Unfortunately, there are many companies being run by poor management. Because of this poor management, changes will only come with consequences (more law, more regulation, etc.).
Past Breaches:
Unknown

1/27/09
Organization:
Citi Habitats
Contractor/Consultant/Branch:
None
Location:
New York, New York*
*465 Columbus Ave.
Victims:
Clients
Number Affected:
Unknown
Types of Data:
"bank statements, 401k statements, credit reports, tax returns and more driver's licenses than we could count"
Breach Description:
"Thousands of pages of bank statements, credit reports, tax returns and driver's licenses were discovered along Columbus Avenue afternoon yesterday, just waiting to be picked up by would-be identity thieves"
Reference URL:
WABC-TV Eyewitness News
Cityfile
Report Credit:
WABC-TV Eyewitness News
Response:
From the online sources cited above:
UPPER WEST SIDE (WABC) -- Eyewitness News made a stunning discovery on the streets of the Upper West Side Monday night. Scores of documents were found strewn on the street for anyone to pick up.
[Evan] No need to fear, the people who live in the Upper West Side are all good people, right? Nobody is going to take the stolen information and supplement their income. ;)
The paper trail stretched for blocks, billowing in the cold breeze on Columbus Avenue. It was not litter, but bits and pieces of people's lives.
There were copies of bank statements, 401k statements, credit reports, tax returns and more driver's licenses than we could count.
Elyssa Shapiro was on her way to work and couldn't believe what she was seeing.
"Just all kinds of information. Things that you never want anyone to know about yourself," she said.
"It was four blocks worth of personal information and it was identity theft waiting to happen."
The documents belonged to the local office of Citi Habitats, one of New York's best-known real estate firms.
[Evan] The documents belonged to Citi Habitats, but the information belongs to their clients. It is the responsibility of Citi Habitats to treat the information with respect and protect it. Affected clients should view this incident as disrespectful. As disrespectful as if a Citi Habitat employee spit on your face, but you can clean your face.
Their clients, whose personal information we found amid the trash, were appalled.
[Evan] The clients may be appalled, but what are the real consequences for Citi Habitats? Companies know that they are rarely held accountable for their actions and often escape with little or no consequence. Sad, but true.
"I feel kind of sick to be honest," former client Laura Dannen said.
Dannen used the firm to find an apartment in 2006. We found her name, phone number and annual income on a registration form.
"Just in the gutter? My life was in the gutter. That's nice," she said.
Paul Addessi is a doctor in Arizona. We found a portion of his 2006 tax return, listing his income and his social security number.
"They're getting the information, all this tax information, driver's license and everything, and they're not shredding the documents. They have a responsibility to shred the documents that they don't need," he said.
New York State law requires businesses to destroy or delete personal information before disposing of it.
[Evan] What happens to the average business that fails to abide by this law?
Citi Habitat's president released a statement that read, in part, "We believe that during a refurbishing of our 465 Columbus Avenue office, paper that should have been shredded was improperly placed as trash.
"We took immediate steps," he insisted, "to investigate and remediate this isolated incident, and are notifying those customers whose information may have been compromised."
[Evan] Unless Citi Habitats retrieved ALL of the documents (including those picked up by Eyewitness News), how will they be able to notify the affected customers? How do you remediate compromised information? You can't un-compromise it.
The firm did, in fact, send workers to clean up the mess. But we were still finding documents a block away a full eight hours after the clean up was over.
The documents that we saw appeared to pertain to real estate transactions that took place in 2006 and 2007.
The firm insists its policy is to destroy all documents that they no longer need, but they could not explain why that did not happen in this case.
[Evan] A policy don't mean squat if it isn't communicated and enforced. Too many policies are just pieces of paper that go unread.
Commentary:
These types of incidents happen all of the time. If you don't believe me, put on some dirty clothes and check out some of your local dumpsters. I was just called last week by a friend who told me that his mortgage company lost his mortgage application along with all of his supporting information. Lost could easily mean that it was simple thrown away, on accident.
What can you do?
We hope that companies will do the right thing, but too many aren't. Unfortunately, there are many companies being run by poor management. Because of this poor management, changes will only come with consequences (more law, more regulation, etc.).
Past Breaches:
Unknown
with a couple more business opportunities like this opening up in the ID field, It sure it hard to remain honest. I mean these idiots in NY give you millions, no billions for "Ponzi" schemes, leave computers and privileged information that is very valuable laying around everywhere. How can a man work when there are thousand of people begging him to "take" their money?
Reply to this