Immediate Vault Immediate Access

Citigroup Data Breach Worse Than Initially Reported; CIA Website Also Hacked

It turns out that the Citigroup data breach that we reported about last Friday may actually have been almost twice as large as originally reported. Last week, Citigroup had said the breach involved 200,000 cardholders, or 1% of its 21 million North American cardholders. Now they are reporting that the breach may have exposed the private financial data of more than 360,000 customers.

While the bank has been criticized for waiting a month before notifying customers about the breach (the incident was discovered on May 10 but not revealed until June 9), it is to their credit that Citigroup has been up-front about what they have done to mitigate the threat.

Upon discovery, internal fraud alerts and enhanced monitoring were placed on all accounts deemed at risk. Simultaneously, rigorous analysis began to determine the precise accounts and type of information accessed. The majority of accounts impacted were identified within seven days of discovery. By May 24, we confirmed the full extent of information accessed on 360,069 accounts. An additional 14 accounts were confirmed subsequently. To determine the cardholder impact required analysis of millions of pieces of data.

The customers’ account information (such as name, account number and contact information, including email address) was viewed. However, data that is critical to commit fraud was not compromised: the customers’ social security number, date of birth, card expiration date and card security code (CVV).

While the investigation was underway, preparations began to notify customers and, as appropriate, replace affected customers’ credit cards. As of May 24, we began the process of developing notification packages including customer letters and manufacturing replacement cards, as well as preparing our customer service teams. Notification letters were sent beginning June 3, the majority of which included reissued credit cards.

Citigroup also indicated that they have implemented “enhanced procedures” to prevent another incident and said the customers would not be liable for any fraudulent charges on their accounts and could contact the bank to set up free identity theft protection.

Unfortunately this is not the only high-profile cybersecurity incident to make headlines in the last couple of days. A group of hackers calling themselves LulzSec hacked the CIA’s website and took it offline Wednesday night. The group claims to have been responsible for recent attacks on the U.S. Senate, Sony and PBS. According to experts, their motivation has been simply for “grins and giggles.” Evidently it’s the hacker equivalent of the old mountain climbing justification, “Because it’s there.”

The larger question, however, is what do these incidents say about the preparedness of the United States to fight cybercrime. According to a interesting Reuters report, the gap between criminals and those tasked with stopping them is widening.

“We’re much better off (technologically) than we were a few years ago, but we have not kept pace with opponents,” said Jim Lewis, a cyber expert with the Center for Strategic and International Studies think tank. “The network is so deeply flawed that it can’t be secured.”

While the government is working to improve security, it seems unlikely that anyone will ever be able to get ahead of the threat. For many organizations, the only strategy may be to minimize the damage and chalk up cybersecurity as another cost of doing business. Hopefully that cost doesn’t get too high.

Similar Posts:

1 thought on “Citigroup Data Breach Worse Than Initially Reported; CIA Website Also Hacked

Comments are closed.