Citigroup, which is based in New York, said Monday the tapes were lost by the courier UPS, on their way to a credit bureau.
According to The Wall Street Journal, Citigroup says there is no evidence that the box of data tapes was stolen. It reportedly disappeared on the way from Weehawken, N.J., to a Texas office of the Experian credit bureau.
"Despite an exhaustive search for this package, we've been unable to find it," said Norman Black, a spokesman for UPS.
The bank said the tapes contain information about both active and closed accounts at CitiFinancial's branch network. It said they did not contain information from CitiFinancial Auto, CitiFinancial Mortgage or any other Citigroup business.
The statement said that CitiFinancial "had no reason to believe that this information has been used inappropriately, nor has it received any reports of unauthorized activity."
CitiFinancial said in its statement that the data loss "occurred in spite of the enhanced security procedures we require of our couriers."
It says there is little risk of the accounts being compromised because most customers have already received the loans to which the data refers, and no additional credit can be issued without the customers' approval.
In a letter to affected customers, the bank urges consumers to review activity on all their accounts to make sure nothing suspicious was occurring. CitiFinancial is arranging for all affected customers to sign up free of charge with a credit monitoring service for 90 days. Anyone who is victimized can get free help from Citigroup's Identity Theft resolution service.
Customers concerned about identity theft are advised to visit their local CitiFinancial branch or call 866-452-2484.
Debby Hopkins, chief operations and technology officer for Citigroup, said that the tapes were produced "in a sophisticated mainframe data center environment" and would be difficult to decode without the right equipment and special software.
Hopkins said that most Citigroup units send data electronically in encrypted form and that CitiFinancial data will be sent that way starting in July.
Citigroup, Hopkins told the Journal, ramped up security last year after an incident in February when personal data of about 120,000 Japanese customers fell out of a truck whose back door had been left open.
One of the new procedures she cites is a requirement that data shipments be processed by hand and not by bulk sorting systems. Hopkins told the Journal that a UPS worker in the CitiFinancial incident violated the rules when he scanned a "summary document" instead of the individual boxes, making the now-missing box hard to trace.