In the latest string of cyber attacks hitting multinational corporations this summer, hackers accessed the information of 200,000 bank accounts at Citigroup, one of the country's largest banks, the Financial Times reported early this morning. If there's a lesson to be learned from Sony's recent security debacle, Citigroup would do well to warn the affected customers as soon as possible and provide tips on how to protect themselves. Some are already criticizing the bank for not responding sooner to the breach, which was reportedly discovered in May. Here's what we know about the attack thus far and how Citigroup has reacted.
Where the attack happened "The breach occurred at Citi Account Online, which holds basic customer information such as names, account numbers and e-mail addresses," reports FT. "Other information such as birth dates, social security numbers and card security codes are held elsewhere and were not compromised, Citi said."
Citigroup's response "The bank said it had contacted law enforcement officials and tightened its fraud detection procedures, but declined to provide further details or to say whether customers had reported suspicious transactions," the FT reports. In a statement to Reuters the bank said "We are contacting customers whose information was impacted. Citi has implemented enhanced procedures to prevent a recurrence of this type of event."
Why the attack could be worse than what Citi's saying A Citi spokesman in Hong Kong tells the news service that the breach "affected 1 percent of North American card customers, which the bank's annual report says total 21 million." A report from the FT conflicts with Citi's statements about who's been affected. "Citi said the breach affected credit card accounts only," reports the FT. "But several people that the FT spoke to said their debit cards were compromised. These people said they did not learn of the problem until they tried to use their cards at the weekend and had the transactions denied. Citi said it had been contacting customers whose information was involved."
Complaints from outsiders "It may be the bank's business, but it's the consumer's personal information so consumers deserve to be told about security breaches immediately," Dan Simpson, a spokesman for Australia's Consumer Action Law Center, told Reuters. "It's hard to see any reason why this sort of breach couldn't have been disclosed much sooner." Asavin Wattanajantra at The Inquirer agrees. "The type of data taken means that the hackers don't have enough information to start making charges on customers' account, but with account numbers and contact details they have enough data to conduct some very convincing spear phishing attacks," he writes. "This is why Citigroup's reluctance to disclose details of the breach, which happened back at the start of May, is rather disappointing. It could have kept customers much better informed about potential scams."
This article is from the archive of our partner The Wire.