Citi Breach Exposes Card Data

Online Breach May Impact 200K Customers

By , June 9, 2011.
Citi Breach Exposes Card Data

C

See Also: Scaling Security with Virtualized Infrastructure

itigroup confirms that a breach of its online banking platform, Citi Account Online, may have exposed personally identifiable information about hundreds of thousands of Citi customers.

According to a statement, Citi recently discovered an unauthorized user had accessed its system. The discovery was made during routine monitoring, says Sean Kevelighan, head of communications and public affairs for Citigroup.

"A limited number - roughly 1 percent - of Citi North America bankcard customers' account information [such as name, account number and contact information, including e-mail address] was viewed," Kevelighan said. "The customer's Social Security number, date of birth, card expiration date and card security code [CVV] were not compromised. We are contacting customers whose information was impacted." Citi has approximately 21 million card customers.

Kevelighan also says Citi has implemented enhanced security procedures, "to prevent a recurrence of this type of event."

According to a news report in the Financial Times, Citi discovered the breach in early May.

Regulatory guidelines recommend banks notify their primary regulators, which for Citi is the Office of the Comptroller of the Currency, when sensitive customer data is compromised. Guidelines do allow banks a little time between the time breaches are recognized and the time they notify customers, especially if notifying customers too soon might jeopardize breach investigations. [Read the American Bankers Association's perspective on the guidelines.]

Not the First Breach for Citi?

In 2009, The Wall Street Journal reported that the FBI had launched an investigation into an alleged Citibank computer breach linked to a Russian cybergang. Citi executives, however, vehemently denied the claim.

"We had no breach of the system and there were no losses, no customer losses, no bank losses," said Joe Petro, managing director of Citigroup's Security and Investigative services, in a 2009 statement regarding the alleged breach. "Any allegation that the FBI is working a case at Citigroup involving tens of millions of losses is just not true."

In 2006, Citi did acknowledge that company information had been breached through a third-party, exposing information housed by its consumer and corporate banking arm. As a result, Citi was forced to block PIN-based transactions for customers in Canada, Russia, and the United Kingdom.

The new Citi hack comes on the heels of a number of highly publicized similar breaches, including breaches of Google's Gmail, Sony, Epsilon and RSA Security, which earlier this week said that the March breach of its SecurID multifactor authentication tokens was linked to subsequent breaches at Lockheed Martin Corp. and L-3 Communications Holdings Inc. Lockheed and L-3 are both government contractors. [See RSA: SecurID Hack Tied to Lockheed Attack and Sony, Epsilon Testify Before Congress.]

Follow Tracy Kitten on Twitter: @FraudBlogger

  • Print
  • Tweet Like LinkedIn share
Get permission to license our content for reuse in a myriad of ways.
ARTICLE Flash Targeted by Zero-Day Exploit

Adobe confirms that a zero-day flaw exists in its Flash browser plug-in and promises to soon...

Latest Tweets and Mentions

ARTICLE Flash Targeted by Zero-Day Exploit

Adobe confirms that a zero-day flaw exists in its Flash browser plug-in and promises to soon...

The ISMG Network