Header graphic for print
Privacy Compliance & Data Security Information on Data Breach Prevention and the Appropriate Response

Citibank Data Breach: Even the Banks Can’t Get It Right

Posted in Data Security Breach Response

The breaches about which we normally hear have to do with retailers and service providers.  Those businesses are the ones that do not appreciate the importance of protecting data, feel they could use the money necessary to create good security in better ways and are the easy targets for hackers.  Thankfully, what we generally do not hear about are data breaches at large financial institutions.  

Citigroup announced yesterday that its servers were hacked into in early May and the names, addresses account numbers and other account information of 200,000 credit card customers were stolen.  Citigroup further reported that social security numbers, CVV security codes and dates of birth were NOT stolen.  This data breach affects approximately 1% of all of Citigroup’s customers.

There is no information about how the hackers were able to access Citigroup’s servers.  It is unclear whether information on this security breakdown will ever be released, but the occurrence is a stark contrast to the normal data loss involving systems that are not as well-protected as financial company systems.  Generally speaking, retailers are easy targets, financial institutions are not.

The current delay in notifying affected individuals may be the result of Citigroup’s cooperation with law enforcement, considering that Citigroup is otherwise required to notify those affected individuals almost immediately.  Some are speculating that the delay may (finally) result in federal legislation detailing data breach response guidelines.  You know, because the massive prior data breaches were not enough to make federal legislation a priority.

In any event, if you are a Citigroup customer you should keep your eyes out of an email notifying you of the breach.  That being said, it would not be surprising to see a phishing effort undertaken to have unsuspecting Citigroup customers that may or may not actually be affected by the breach click on links in email in order to steal usernames and passwords.  In other words, if you do receive a notice from Citigroup about the breach, make sure that the email really is from Citigroup by confirming the links take you to a genuine Citigroup web site or navigating to the Citigroup web site manually and looking for information on the data breach.