Citigroup Reveals More Compromised Client Accounts

Thursday, June 16, 2011



Last week officials from Citigroup confirmed that an unauthorized network access event may have compromised the private account details of a large number of North American banking clients.

Recently updated reports put the number of affected Citigroup customers as high as 360,000, and the number could grow as the investigation continues.

Representatives of Citigroup said they detected the breach of the Citi Account Online network in May through routine monitoring of the systems. Thus far, it appears that only credit card accounts were exposed in the breach, though some reports suggest that some debit card information may have been involved.

Citigroup immediately reported the security incident to law enforcement and regulatory authorities, but has not revealed any particular details of the data loss event, and the company is in the process of notifying customers who's data may have been exposed.

Citigroup released the following statement in an effort to clarify details on the data loss event:

To Our Customers:

You may have recently read in the media about a compromise to Citi Account Online impacting credit card accounts in North America.

We wanted to share more specifics with you regarding the event. First, we want to confirm three things:

1. From the moment Citi discovered the breach we took immediate action to rectify the situation and protect any customers potentially at risk.

2. Customers are not liable for any fraud on the account and are 100% protected.

3. Every decision made throughout this process was in the best interest of our customers.

Updated Information on Recent Compromise to Citi Account Online For Our Customers

** Includes specific details, including dates and number of customers
impacted **

On May 10, a compromise to Citi Account Online that impacted roughly one percent of North America Citi-branded credit card accounts was discovered as part of routine monitoring and immediately rectified. While Citi Cards' Account Online system was compromised, the main cards processing system was not. Other Citi consumer banking online systems were not accessed or compromised.

Upon discovery, internal fraud alerts and enhanced monitoring were placed on all accounts deemed at risk. Simultaneously, rigorous analysis began to determine the precise accounts and type of information accessed. The majority of accounts impacted were identified within seven days of discovery. By May 24, we confirmed the full extent of information accessed on 360,069 accounts. An additional 14 accounts were confirmed subsequently. To determine the cardholder impact required analysis of millions of pieces of data.

The customers' account information (such as name, account number and contact information, including email address) was viewed. However, data that is critical to commit fraud was not compromised: the customers' social security number, date of birth, card expiration date and card security code (CVV).

While the investigation was underway, preparations began to notify customers and, as appropriate, replace affected customers' credit cards. As of May 24, we began the process of developing notification packages including customer letters and manufacturing replacement cards, as well as preparing our customer service teams. Notification letters were sent beginning June 3, the majority of which included reissued credit cards.

Citi has implemented enhanced procedures to prevent a recurrence of this type of event. We have also notified law enforcement and government officials. For the security of our customers, and because of the ongoing law enforcement investigation, we cannot disclose further details regarding how the data breach occurred.

Our customers are not liable for any unauthorized use of their accounts. We encourage our customers to review their account statements and to report any suspicious or unauthorized charges to us. Citi also offers free personalized identity theft solutions to assist our customers in taking appropriate steps if they believe they are a victim of identity theft.

Customers with additional questions can call the toll free number on the back of their card for help from Citi Customer Service. We continue to monitor customer service and communication channels and take every necessary action to ensure our customers are cared for.


Total Accounts Impacted:

* A total of 360,083 North America Citi-branded credit cards were affected. Only accounts issued in the U.S. were impacted.

* 217,657 accounts were reissued credit cards along with a notification letter.

* Some accounts were not re-issued credit cards if the account is closed or has already received new credit cards as a result of other card replacement practices. These accounts continue to receive heightened monitoring for suspicious activity. 


Possibly Related Articles:
Banking Headlines Network Security Credit Cards hackers breach Consumers Citigroup
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.

Most Liked