Tightest ship in the shipping business? Four million people might beg to differ.

CitiGroup now admits that personal information on 3,900,000 consumer lending customers is now floating around somewhere.

Unlike other security lapses, this doesn’t involve an internet transfer. Instead, Citi was sending a physical tape with the data to a credit bureau.

And UPS, which ships 14-million packages a day, just happened to lose this one.

Citi is doing its best to point the finger at UPS, even going as far as releasing a statement that is tantamount to a pink slip:

“We deeply regret this incident, which occurred in spite of the enhanced security procedures we require of our couriers,” Kevin Kessinger, executive vice president of Citigroup (Research), said in a statement. “Beginning in July, this data will be sent electronically in encrypted form.”

While this looks really bad for UPS for the time being, let’s put this in perspective.

First of all, this is not another one of those stories about an internet breach or a computer virus or a phishing scam that has put your personal financial information at risk. No one (as far as we know) set out to procure this stuff. It’s just lost.

Second, the odds of someone stumbling across the tape who can recognize what it is and have the appropriate equipment to read it is fairly small.

Third, has it occurred to anyone that maybe CitiGroup might be just a little behind the times here? Running large chunks of data through a sneakernet? I’m sure a secure intranet connection would be faster, with more frequent transfers. (I’ll bet a dedicated fiber line directly to Experian would be cheaper than this PR headache will be.)

I’d like to know how many other outdated and inefficient measures Citi takes with regards to my profile. Is the electronic transfer going to be any safer? Isn’t the use of couriers supposed to keep the hackers at bay? If electronic transfer is safer, then why has Citi been hoofing it? If the relative shift in safety is unknown, then why issue an immediate policy change? If one method is clearly safer than the other, why haven’t they been using it? If not, then why suddenly switch?

I know what Citi is trying to accomplish in retaining consumer confidence. But its actions come across as rather rash, especially when placed under responsible journalistic scrutiny.

Maybe it’s time to break down and buy identity theft insurance.