Immediate Vault Immediate Access

Citigroup Data Breach Worse Than Initially Reported; CIA Website Also Hacked

It turns out that the Citigroup data breach that we reported about last Friday may actually have been almost twice as large as originally reported. Last week, Citigroup had said the breach involved 200,000 cardholders, or 1% of its 21 million North American cardholders. Now they are reporting that the breach may have exposed the private financial data of more than 360,000 customers.

While the bank has been criticized for waiting a month before notifying customers about the breach (the incident was discovered on May 10 but not revealed until June 9), it is to their credit that Citigroup has been up-front about what they have done to mitigate the threat.

Upon discovery, internal fraud alerts and enhanced monitoring were placed on all accounts deemed at risk. Simultaneously, rigorous analysis began to determine the precise accounts and type of information accessed. The majority of accounts impacted were identified within seven days of discovery. By May 24, we confirmed the full extent of information accessed on 360,069 accounts. An additional 14 accounts were confirmed subsequently. To determine the cardholder impact required analysis of millions of pieces of data.

The customers’ account information (such as name, account number and contact information, including email address) was viewed. However, data that is critical to commit fraud was not compromised: the customers’ social security number, date of birth, card expiration date and card security code (CVV).

While the investigation was underway, preparations began to notify customers and, as appropriate, replace affected customers’ credit cards.

buy stendra online blockdrugstores.com/wp-content/uploads/2023/10/jpg/stendra.html no prescription pharmacy

As of May 24, we began the process of developing notification packages including customer letters and manufacturing replacement cards, as well as preparing our customer service teams. Notification letters were sent beginning June 3, the majority of which included reissued credit cards.

buy spiriva inhaler online blockdrugstores.com/wp-content/uploads/2023/10/jpg/spiriva-inhaler.html no prescription pharmacy

Citigroup also indicated that they have implemented “enhanced procedures” to prevent another incident and said the customers would not be liable for any fraudulent charges on their accounts and could contact the bank to set up free identity theft protection.

Unfortunately this is not the only high-profile cybersecurity incident to make headlines in the last couple of days. A group of hackers calling themselves LulzSec hacked the CIA’s website and took it offline Wednesday night. The group claims to have been responsible for recent attacks on the U.S. Senate, Sony and PBS. According to experts, their motivation has been simply for “grins and giggles.” Evidently it’s the hacker equivalent of the old mountain climbing justification, “Because it’s there.”

The larger question, however, is what do these incidents say about the preparedness of the United States to fight cybercrime. According to a interesting Reuters report, the gap between criminals and those tasked with stopping them is widening.

“We’re much better off (technologically) than we were a few years ago, but we have not kept pace with opponents,” said Jim Lewis, a cyber expert with the Center for Strategic and International Studies think tank. “The network is so deeply flawed that it can’t be secured.

buy amoxicillin online blockdrugstores.com/wp-content/uploads/2023/10/jpg/amoxicillin.html no prescription pharmacy

While the government is working to improve security, it seems unlikely that anyone will ever be able to get ahead of the threat. For many organizations, the only strategy may be to minimize the damage and chalk up cybersecurity as another cost of doing business. Hopefully that cost doesn’t get too high.

Banks’ Inability to Protect Info “Almost Shocking”

Does the financial industry think it’s invincible? Or is the industry as a whole innocently ignorant as to how to keep up with certain emerging risks?

For example, Citigroup became the victim of a cyber thieves recently when banking giant realized hackers infiltrated their computer system and stole personal information from more than 200,000 credit card holders, making it one of the largest direct attacks on a major bank. As the New York Times points out:

Even more striking is that similar data breaches have been occurring for years — and the financial industry has failed to prevent them. Details remain scarce, but the disclosure of the Citigroup breach on Thursday quickly turned into a debate on whether the banks and major credit card companies had invested enough money to safeguard the personal information of their customers. “They’re not at all on top of it,” said Avivah Litan, a financial security analyst at Gartner Inc. “It’s almost shocking.”

Shocking indeed.

How, in 2011, are some of the world’s largest financial institutions unaware of the omnipresent threat of hackers? Though recent data breaches involving Sony, Amazon and Google have rightfully raised concerns regarding internet “security,” the Citigroup situation raises some serious red flags.

It raises a question as to whether flames of the ongoing cyber-war are leaping to financial banks. If so, prompt actions to combat the cyber-crime must be taken by both governments and private companies.

Writing about the overconfidence that banks exhibit reminds me of my post from yesterday in which I reference the Economist Intelligence Unit’s report that stated one of the many failings within the discipline of risk management is:

2. Finance executives remain unaware of risks

According to the survey, “Compared to colleagues in legal, risk and compliance functions, finance professionals are far more likely to say that their organizations haven’t suffered from significant risk or compliance failures.” This is yet another surprising finding since the financial department is considered one of, if not the, most important department in an organization, considered the oxygen to the life of a company. If they are operating with the mindset that their company is perfect, either they’re not being true to themselves or they honestly cannot see failures. Both scenarios are scary.

Though the above refers to finance executives in any industry and the Citigroup data breach involves one company within the banking industry, the idea remains the same: the severity of data breach risks is not being acknowledged among most companies — most of all, among those companies and executives dealing with money.

At Citi, Risk Management Is Still Lacking

At least so says a new report from Crédit Agricole Securities financial analyst Mike Mayo, a vocal critic of Citigroup who met with company execs on Friday (after having “lobbied for nearly two years for an audience with” Citi chief exec Vikram Pandit) in preparation for the release of his long-term outlook on the company.

we are not convinced that there has been enough improvement in risk management, a huge consideration for this reason: for each $3 that Citi made last decade, it gave back $1 due to poor risk management. Citi still seems to have aggressiveness with financial targets (well above historical), accounting (tax credits), and corporate governance.

buy nolvadex online bristolrehabclinic.ca/wp-content/uploads/2023/10/jpg/nolvadex.html no prescription pharmacy

Also, the strategy does not always seem in sync with execution and/or financial reporting.

A history of mishaps and poor judgment

Citi mentioned that it has a new team. Yet, we’ve heard this before. Since 1998, Citi has had 30 major reorganizations or senior management changes, a disruptive lack of continuity that increases the chance for mishaps.

buy singulair online bristolrehabclinic.ca/wp-content/uploads/2023/10/jpg/singulair.html no prescription pharmacy

Not surprisingly, over this same time Citi has had about 20 significant events that reflect breakdowns in risk management, ranging from fines and settlements for dealings with Enron and WorldCom to exceptional reserve builds and writedowns.

All told, these events have added to over $100bn in pretax losses. Thus, the issue for Citi is less about squeezing out extra growth versus not messing up.

buy isotroin online bristolrehabclinic.ca/wp-content/uploads/2023/10/jpg/isotroin.html no prescription pharmacy

Ouch.

That last sentence doesn’t sound good at all.

UPDATE: Fox Business reporter Charlie Gasparino gives a thorough breakdown of Mayo’s report in this video.