Citigroup Admits Being Hacked in May: Coy About Extent of Impact

The Financial Times of London reported last night that Citigroup had been hacked, and that an unknown number of credit card accounts compromised. The FT says the number could reach into the hundreds of thousands.

The FT article says Citigroup discovered the breach in early May through routine monitoring of banking activity but the bank did not publicly disclose the breach until the FT started to make inquiries.

The story in the FT states that:

"The breach occurred at Citi Account Online, which holds basic customer information such as names, account numbers and email addresses. Other information such as birth dates, social security numbers and card security codes are held elsewhere and were not compromised, Citi said."

Citigroup says that it has contacted law enforcement, but it refuses to give additional details about the hack other than to say that about 1% of its credit card holders were affected. The bank, the FT says, has 21 million customers in North America.

Citigroup also told the FT that only credit card accounts have been compromised, but the FT reports that Citigroup debit cards might also have been compromised.

For a major bank to be breached is, as one security analyst put it, a "very big deal."

For the breach not to be reported until a newspaper comes calling is probably going to turn it into an even bigger deal.

What is intriguing is that an article in Tuesday's New York Times says that Citigroup is among the companies that is going to replace its SecurID tokens after the hack at RSA.

So, is this hack a result of the SecurID breach, and is that why the bank is being so mum about it? If so, this could make it a tremendously huge deal, especially for RSA.

At the very least, this latest breach will provide further ammunition to those in the US Senate trying to make public companies disclose security breaches, which many never mention. It would also give additional ammunition to Senator Patrick Leahy who has introduced once more a bill that would make the "intentional or willful" nondisclosure of a data breach a federal crime.

That is looking more and more like a good idea.

PHOTO: iStockphoto

Advertisement

Risk Factor

IEEE Spectrum's risk analysis blog, featuring daily news, updates and analysis on computing and IT projects, software and systems failures, successes and innovations, security threats, and more.

Contributor
Willie D. Jones
 
Advertisement