According to a statement, Citi recently discovered an unauthorized user had accessed its system. The discovery was made during routine monitoring, says Sean Kevelighan, head of communications and public affairs for Citigroup.
"A limited number - roughly 1 percent - of Citi North America bankcard customers' account information [such as name, account number and contact information, including e-mail address] was viewed," Kevelighan said. "The customer's Social Security number, date of birth, card expiration date and card security code [CVV] were not compromised. We are contacting customers whose information was impacted." Citi has approximately 21 million card customers.
Kevelighan also says Citi has implemented enhanced security procedures, "to prevent a recurrence of this type of event."
According to a news report in the Financial Times, Citi discovered the breach in early May.
Regulatory guidelines recommend banks notify their primary regulators, which for Citi is the Office of the Comptroller of the Currency, when sensitive customer data is compromised. Guidelines do allow banks a little time between the time breaches are recognized and the time they notify customers, especially if notifying customers too soon might jeopardize breach investigations. [Read the American Bankers Association's perspective on the guidelines.]
Not the First Breach for Citi?In 2009, The Wall Street Journal reported that the FBI had launched an investigation into an alleged Citibank computer breach linked to a Russian cybergang. Citi executives, however, vehemently denied the claim.
"We had no breach of the system and there were no losses, no customer losses, no bank losses," said Joe Petro, managing director of Citigroup's Security and Investigative services, in a 2009 statement regarding the alleged breach. "Any allegation that the FBI is working a case at Citigroup involving tens of millions of losses is just not true."
In 2006, Citi did acknowledge that company information had been breached through a third-party, exposing information housed by its consumer and corporate banking arm. As a result, Citi was forced to block PIN-based transactions for customers in Canada, Russia, and the United Kingdom.
The new Citi hack comes on the heels of a number of highly publicized similar breaches, including breaches of Google's Gmail, Sony, Epsilon and RSA Security, which earlier this week said that the March breach of its SecurID multifactor authentication tokens was linked to subsequent breaches at Lockheed Martin Corp. and L-3 Communications Holdings Inc. Lockheed and L-3 are both government contractors. [See RSA: SecurID Hack Tied to Lockheed Attack and Sony, Epsilon Testify Before Congress.]