In a June 13 letter to Citigroup Chief Executive Officer Vikram Pandit, Attorney General George Jepsen said that Citigroup has yet to provide critical facts about the data breach, including the “number and characteristics of impacted accounts, the cause of the breach, the steps taken to notify and protect the affected individuals, and the nature of any procedures adopted to prevent future data breaches.”
Earlier this month, Citigroup admitted in a statement emailed to the Wall Street Journal that 1% of its roughly 21 million North America customers’ credit card accounts were hacked.
The Attorney General criticized the company for not providing details of the data breach in “public reports” on the incident. Jepsen demanded that Citigroup provide detailed information on 10 items related to the breach, including the total number of individuals affected, all categories of personal information compromised, and a timeline of the events and Citigroup’s response. He set a June 22 deadline for a reply from Citigroup.
Jepsen said the data breach raises concerns about the effectiveness of Citigroup’s measures to protect the confidentiality and security of customers’ personal information. “I am particularly interested in ensuring measures are in place to prevent the reoccurrence of breaches of this sort and to make sure that Citigroup provides sufficient protection from financial fraud to customers whose information was compromised.”
The Attorney General said he expects Citigroup to compensate Connecticut consumers affected by the data breach. “To that end, I ask that Citigroup affirmatively commit to holding all affected customers harmless relative to this breach, including the reimbursement of any out-of-pocket expenses related to the reporting of unauthorized charges or the clearing/correction of any negative credit report information”, Jepsen wrote in the letter.
Citigroup declined to comment directly on the Attorney General’s letter. Spokesman Sean Kevelighan told Bloomberg that his company “immediately rectified the data breach upon discovery, while also placing internal fraud alerts and monitoring on all accounts at risk. Simultaneously, we began analysis to determine the precise accounts and type of information accessed. None of the data breached was sufficient to perpetrate fraud.”