Citigroup admits to data breach affecting 210,000 credit card customers

Citigroup has more than 21 million accounts generating $77 billion in receivables in North America, according to its 2010 annual report.

"During routine monitoring, we recently discovered unauthorized access to Citi's Account Online”, Citigroup said in a statement emailed to the Wall Street Journal. The hackers reviewed customers’ names, account numbers, and contact information.

The bank said that hackers did not get access to customers’ social security numbers, dates of birth, card expiration dates, or card security codes.

Citigroup said it was contacting customers whose information was affected.

Commenting on the Citigroup breach, Mike Paquette, chief strategy officer at Top Layer Security said, that it appears the data breach was not sufficient to be used directly for fraud or theft. “However, the bad news is that somehow, a significant amount of cardholder data was leaked, including names, account numbers, and email addresses, all of which could be used as social engineering context to attempt to gain access to other key information needed to monetize the already stolen account information, through methods such as phishing”, he said.

Ron Gula, chief executive officer of Tenable Network Security, said that the data breach demonstrates the need for network vulnerability scanning. “Organizations need to assume that malicious code is going to infiltrate their network, so what’s needed is a system that will continuously monitor the entire organization’s network, to immediately flag when there is a compromise, or potential vulnerability discovered from internal or external sources”, Gula added.

In response to the Citigroup data breach, the Federal Deposit Insurance Corp (FDIC) said it is developing new data security guidance for banks and may ask banks “to strengthen their authentication when a customer logs onto online accounts", FDIC chairman Sheila Blair was quoted by Reuters as saying.

In a related development, the Securities and Exchange Commission (SEC) said it was willing to “seriously consider” issuing additional guidance for public companies on data breach disclosures, according to a report by Reuters. In May, a group of five Democratic senators asked the SEC to issue national guidance on data breach disclosures.

What’s hot on Infosecurity Magazine?