Citi Breach: 360K Card Accounts AffectedCiti Confirms Cyber Attack More Widespread Than Believed
Citi says only North American cardholders were affected, though the tally of affected accounts has now jumped from about 200,000 to more than 360,000. Citi has approximately 21 million card customers.
"By May 24, we confirmed the full extent of information accessed on 360,069 accounts," Citi says in a June 15 statement. The bank also provides a list of affected accounts by state.
Citi says no customers will be held liable for any of the losses associated with fraudulent activity, and reiterates that only basic account information, such as name, account number and contact information, was viewed. Social Security numbers, dates of birth, card expiration dates and card security codes were not compromised, the bank says.
"As of May 24, we began the process of developing notification packages, including customer letters and manufacturing replacement cards, as well as preparing our customer service teams," Citi says. "Notification letters were sent beginning June 3, the majority of which included reissued credit cards."
The bank also says it has implemented enhanced procedures to prevent future fraud and is working with law enforcement and government officials.
Federal Deposit Insurance Corp. Chairwoman Sheila Bair, in reaction to the Citi breach, said earlier this week that the FDIC is continually monitoring financial institutions' vulnerabilities to cyberattacks. "By their nature, financial institutions are particularly attractive as targets for fraud and illegal internet crimes," Bair said in a statement. "The agencies are specifically developing additional guidance to enhance authentication procedures when customers access their online accounts."
The Office of the Comptroller of the Currency, Citi's overseeing regulator, confirms it was notified of the breach, but declined to provide any additional comment.
U.S. Senator Robert Menendez, D-N.J., in a June 15 letter to the head of the OCC, called for a deeper investigation into the breach, asking that the bank's customer notification policy be reviewed. "As Citigroup's primary regulator with jurisdiction for data security issues, I hope that you also believe this to be unacceptable for consumers," Menendez says. "Over the last six years, there have been 288 publicly disclosed breaches at financial services companies that exposed at least 83 million customer records. ... This problem is widespread and must be properly addressed by all parties."
The Citi hack comes on the heels of a number of highly publicized similar breaches, including breaches of Google's Gmail, Sony, Epsilon and RSA Security, which last week acknowledged that the March breach of its SecurID multifactor authentication tokens was linked to subsequent breaches at Lockheed Martin Corp. and L-3 Communications Holdings Inc. Lockheed and L-3 are both government contractors. [See RSA: SecurID Hack Tied to Lockheed Attack and Sony, Epsilon Testify Before Congress.]