The criminals went on to steal about $2.7 million, all thanks to a security flaw in Citi's Account Online Web-based service. The vulnerability allowed anyone, once they had logged in to the system with an account number and password, to change a few characters in the URL to access additional accounts.
The settlement, to resolve alleged violations of the Connecticut Unfair Trade Practices Act, is the first resulting from the breach: In all, 5,066 of the 360,000 affected customers were in Connecticut. By state, the highest number of Citi credit card customers affected were California (80,454), Texas (44,134), and Illinois (30,054).
According to the Banking Business Review, Citi will pay $15,000 in civil penalties to the state's privacy protection guaranty and enforcement account and $40,000 to the state's general fund.
According to prosecutors, Citi may have known about the security flaw for as long as three years before the attack without resolving it. The bank’s investigators, however, said that the vulnerability was discovered on May 10. It then failed to remedy the problem for 17 days. It plugged the hole on May 27, but then didn’t inform the affected customers until June 3, 2011.
"Citibank represented to its customers that its online system was secured, but ultimately the techniques hackers used to obtain individual account information were relatively simple and unsophisticated," said Connecticut attorney general George Jepsen.
The bank is hiring a third party to carry out a security audit of the Account Online system. It’s also offering up to two years of free credit monitoring for any affected Connecticut customers.
"This settlement not only ensures that Citibank will be responsive to its customers should this system experience a breach in the future, it also requires the company to review and audit its security protocols," Jepsen added.