Hmmm.
This morning's Wall Street Journal claims that a subsidiary of Citigroup was hacked by a Russian cyber gang which stole "tens of millions" of dollars, and that the incident is being investigated by the US Federal Bureau of Investigation (FBI), National Security Agency (NSA), along with the Department of Homeland Security (DHS). The WSJ gives US "government officials" - presumably from one or more of the above agencies - as its sources for the story.
The story also quotes Joe Petro, managing director of Citigroup's Security and Investigative Services, who said that, "We had no breach of the system and there were no losses, no customer losses, no bank losses.... Any allegation that the FBI is working a case at Citigroup involving tens of millions of losses is just not true."
The WSJ also says that federal agencies will not comment about their story.
So, was Citi hacked or not?
Back in 2008 in another hacking incident, Citi also denied it was hacked, but the evidence strongly indicated that it knew about the problem all along.
Banks that get hacked are generally loath to admit it, as this 2000 story in Forbes on "How to Hack a Bank" discusses. A Computer Crime and Security Survey from 2005 indicate that only 20% of companies reported security breaches to authorities.
In fact, the Forbes story tells about how it wouldn't have been difficult to steal a $1 billion from Citi at the time because of its lax security standards.
It would not surprise me that the FBI has asked Citi to be quiet about the incident, while other government officials couldn't resist blabbing about it to the WSJ.
In other security news, the Obama Administration finally found someone to take the job as cyber czar: Howard A. Schmidt, a cyber-adviser in the Bush Administration.
According to the Washington Post, "Schmidt served as special adviser for cyberspace security from 2001 to 2003 and shepherded the National Strategy to Secure Cyberspace, a plan that then was largely ignored. He left that job also frustrated, colleagues said. "
Anyone want to bet how long Mr. Schmidt will last this time, especially since observers tell the Post that he is over-qualified for the job?
Robert N. Charette is a Contributing Editor to IEEE Spectrum and an acknowledged international authority on information technology and systems risk management. A self-described “risk ecologist,” he is interested in the intersections of business, political, technological, and societal risks. Charette is an award-winning author of multiple books and numerous articles on the subjects of risk management, project and program management, innovation, and entrepreneurship. A Life Senior Member of the IEEE, Charette was a recipient of the IEEE Computer Society’s Golden Core Award in 2008.
