Citi Breach: 360K Card Accounts Affected

Citi Confirms Cyber Attack More Widespread Than Believed
Citi Breach: 360K Card Accounts Affected
This week, Citigroup updated the list of credit card customers impacted by the May 10 breach of its online banking platform. [See Citi Breach Exposes Card Data.] The breach, which likely exposed personally identifiable information of about 1 percent of Citi's credit card accounts, was made public earlier this month.

Citi says only North American cardholders were affected, though the tally of affected accounts has now jumped from about 200,000 to more than 360,000. Citi has approximately 21 million card customers.

"By May 24, we confirmed the full extent of information accessed on 360,069 accounts," Citi says in a June 15 statement. The bank also provides a list of affected accounts by state.

Citi says no customers will be held liable for any of the losses associated with fraudulent activity, and reiterates that only basic account information, such as name, account number and contact information, was viewed. Social Security numbers, dates of birth, card expiration dates and card security codes were not compromised, the bank says.

"As of May 24, we began the process of developing notification packages, including customer letters and manufacturing replacement cards, as well as preparing our customer service teams," Citi says. "Notification letters were sent beginning June 3, the majority of which included reissued credit cards."

The bank also says it has implemented enhanced procedures to prevent future fraud and is working with law enforcement and government officials.

Federal Deposit Insurance Corp. Chairwoman Sheila Bair, in reaction to the Citi breach, said earlier this week that the FDIC is continually monitoring financial institutions' vulnerabilities to cyberattacks. "By their nature, financial institutions are particularly attractive as targets for fraud and illegal internet crimes," Bair said in a statement. "The agencies are specifically developing additional guidance to enhance authentication procedures when customers access their online accounts."

The Office of the Comptroller of the Currency, Citi's overseeing regulator, confirms it was notified of the breach, but declined to provide any additional comment.

U.S. Senator Robert Menendez, D-N.J., in a June 15 letter to the head of the OCC, called for a deeper investigation into the breach, asking that the bank's customer notification policy be reviewed. "As Citigroup's primary regulator with jurisdiction for data security issues, I hope that you also believe this to be unacceptable for consumers," Menendez says. "Over the last six years, there have been 288 publicly disclosed breaches at financial services companies that exposed at least 83 million customer records. ... This problem is widespread and must be properly addressed by all parties."

The Citi hack comes on the heels of a number of highly publicized similar breaches, including breaches of Google's Gmail, Sony, Epsilon and RSA Security, which last week acknowledged that the March breach of its SecurID multifactor authentication tokens was linked to subsequent breaches at Lockheed Martin Corp. and L-3 Communications Holdings Inc. Lockheed and L-3 are both government contractors. [See RSA: SecurID Hack Tied to Lockheed Attack and Sony, Epsilon Testify Before Congress.]


About the Author

Tracy Kitten

Tracy Kitten

Former Director of Global Events Content and Executive Editor, BankInfoSecurity & CUInfoSecurity

Kitten was director of global events content and an executive editor at ISMG. A veteran journalist with more than 20 years of experience, she covered the financial sector for over 10 years. Before joining Information Security Media Group in 2010, she covered the financial self-service industry as the senior editor of ATMmarketplace, part of Networld Media. Kitten has been a regular speaker at domestic and international conferences, and was the keynote at ATMIA's U.S. and Canadian conferences in 2009. She has been quoted by CNN.com, ABC News, Bankrate.com and MSN Money.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.