Citigroup says customers' credit card data was hacked

By on June 10, 2011, 9:00 AM

Citigroup has acknowledged that a security breach last month gave hackers access to the account information of hundreds of thousands of its credit card customers.

The breach, which affected around 1% of Citi's U.S. customers, is the latest in a string of high profile attacks against big companies like Lockheed Martin, Epsilon, Google and Sony.

The issue was detected during routine monitoring in early May but it was only this week that the company began notifying customers. Citigroup did not release any information about the potential source of its breach, claiming they have been in contact with law enforcement but are not disclosing further details.

According to reports, the hackers were able to access general account information such as names, account numbers and email addresses, but the breach did not extend to Social Security numbers, dates of birth and credit card security codes. Neither Citigroup's debit card business nor its online banking operations were breached, apparently.

It's unclear if unauthorized charges have occurred so far, but naturally customers will not be liable for any misuse of their accounts. Affected customers are currently being notified and will receive replacement cards soon.

With hackers actively probing corporate networks for weaknesses, it seems customers are at the mercy of the entities that hold their information to have proper systems in place. The fact that the latest breach involves a bank is a big deal, but it is not the first time it's happened. According to the New York Times, there have been 288 publicly disclosed breaches at financial services companies exposing at least 83 million customer records over the last 6 years.

It isn't even the first time affecting Citigroup. In 2006, the group acknowledged that customer information had been breached through a third-party, and was forced to block PIN-based transactions for customers in Canada, Russia, and the United Kingdom. There were allegations of another breach in 2009 but Citi executives denied those claims.

User Comments: 11

Got something to say? Post a comment
example1013 said:

Wow, looks like someone managed to have security worse than PSN (well, other than Sony Pictures).

Archean Archean, TechSpot Paladin, said:

Considering the 'predatory' practices of citibank I feel no sympathy for them. But unfortunately, it is their customers who are going to suffer from their stupidity with regard to security.

Win7Dev said:

You would think that a bank would hash the crap out of any information that they possibly could. Just rehash the input data and compare. Instant prevention of hundreds if not thousands of accounts being compromised. I don't think you can bruteforce a 32 character password, so why would you be able to bruteforce a 32 character string of a name, address, and ssn.

MilwaukeeMike said:

You have no sympathy, Archean? I do... I know it's easy to think of a big company like it has it's own personality and accountability. And that's not inaccurate since that's what being incorporated means. But the people who work there are like you and me, and the customers are like you and me. I have sympathy for all the security staff who's probably working overtime right now to find and fix the holes, and all the staff who are scrambling to clean up this mess. I really doubt whatever marketing team that desgined those 'predatory' (do your quotes mean it's actually not?) practices is doing much.

I'm a citi customer and they've protected me from fraud a few times now, and they're customer support is great.

I just wish there were better ways to catch hackers.

Guest said:

Until semi-retirement, I worked in computer support.

The industry started with IBM and DEC VMS (and some others) as relatively secure OS's.

Then UNIX (designed by programmers, for programmers) came along and it took quite awhile to make that secure.

Then came WINTEL, and little by little security improved.

Now we have to deal with WWW and all the new mobile devices that by design are more susceptible to attacks.

The most secure device sits in a bank vault with no connection to the Internet.

Archean Archean, TechSpot Paladin, said:

Well Mil you need to read Financial Crisis Inquiry Commission of Riched M Bowen's proceedings with regard to Citi's lending practices, and its Consumer Lending Group's behavior/poor standards which brought the bank to its knees. In fact, in those days citi over-leveraged itself by something like 18.2 times when compared to its equity, which was beyond poor, to put it mildly. Kindly do remember that, when too much debt has been extended on too little capital, even a small decline in the value of bank's assets can significantly erode its capital and make it insolvent.

I don't want to indulge in boring financial debate here, but my point was not about the 'workers' of the bank, those poor folks hardly ever know what is being cooked by the top management, who in fact are the real thugs.

The most secure device sits in a bank vault with no connection to the Internet.

With the condition that if the security is 'adequate' it may be true (oh and you forgot to add 'is the' .

gwailo247, TechSpot Chancellor, said:

Milwaukeemike said:

I just wish there were better ways to catch hackers.

Send them an e-mail telling them they won a date with Olivia Munn. Most of them would probably show up.

treetops treetops said:

I wonder if it would be cheaper to just go back to using a filing cabinet system. This I understand, hackers are trying to get money. But I do not understand hackers who randomly destroy peoples computers. Its like walking up to a random persons house and throwing a brick through there window.

captaincranky captaincranky, TechSpot Addict, said:

Citibank is actually the only bank I've ever received an actual phishing email attempting to use their name.

Leeky Leeky said:

I get them all the time from Natwest, Lloyds TSB and Barclay's Bank Captain.

Guest said:


That is funny

Load all comments...

Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...
Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.