The Financial Times of London reported last night that Citigroup had been hacked, and that an unknown number of credit card accounts compromised. The FT says the number could reach into the hundreds of thousands.
The FT article says Citigroup discovered the breach in early May through routine monitoring of banking activity but the bank did not publicly disclose the breach until the FT started to make inquiries.
The story in the FT states that:
"The breach occurred at Citi Account Online, which holds basic customer information such as names, account numbers and email addresses. Other information such as birth dates, social security numbers and card security codes are held elsewhere and were not compromised, Citi said."
Citigroup says that it has contacted law enforcement, but it refuses to give additional details about the hack other than to say that about 1% of its credit card holders were affected. The bank, the FT says, has 21 million customers in North America.
Citigroup also told the FT that only credit card accounts have been compromised, but the FT reports that Citigroup debit cards might also have been compromised.
For a major bank to be breached is, as one security analyst put it, a "very big deal."
For the breach not to be reported until a newspaper comes calling is probably going to turn it into an even bigger deal.
What is intriguing is that an article in Tuesday's New York Times says that Citigroup is among the companies that is going to replace its SecurID tokens after the hack at RSA.
So, is this hack a result of the SecurID breach, and is that why the bank is being so mum about it? If so, this could make it a tremendously huge deal, especially for RSA.
At the very least, this latest breach will provide further ammunition to those in the US Senate trying to make public companies disclose security breaches, which many never mention. It would also give additional ammunition to Senator Patrick Leahy who has introduced once more a bill that would make the "intentional or willful" nondisclosure of a data breach a federal crime.
That is looking more and more like a good idea.
Robert N. Charette is a Contributing Editor to IEEE Spectrum and an acknowledged international authority on information technology and systems risk management. A self-described “risk ecologist,” he is interested in the intersections of business, political, technological, and societal risks. Charette is an award-winning author of multiple books and numerous articles on the subjects of risk management, project and program management, innovation, and entrepreneurship. A Life Senior Member of the IEEE, Charette was a recipient of the IEEE Computer Society’s Golden Core Award in 2008.