The breach in Citigroup Inc.'s online security, affecting more customers than originally thought, shows that financial institutions still are struggling to block hackers and still are loath to explain to customers and the public what thieves took.
Hackers obtained information on 360,083 credit accounts of North America customers in an attack last month, Citigroup said late Wednesday. That’s about 80% more than first estimated.
The giant New York banking company, parent company of Citibank, downplayed the break-in, saying its security team identified the attack May 10 and “immediately rectified” the situation.
Citigroup said that thieves captured names, account numbers and contact information, including email addresses, for about 1% of its 23.5 million customers.
“However, data that is critical to commit fraud was not compromised: the customers’ Social Security number, date of birth, card expiration date and card security code,” it said.
But how critical the information is “depends on the intent of whoever got this list,” said Jon Fox, consumer advocate for the nonpartisan California Public Interest Research Group.
“Mostly these [hacking] attempts are for spam or other criminal pursuits,” such as phishing scams in which criminals pose as banks or other institutions to steal identities or commit other fraud, Fox said.
And Citigroup’s attempt to put customers at ease may have been blunted by hacker group LulzSec.
The group took credit late Wednesday for breaking into the Central Intelligence Agency’s website, and on Thursday it put on the Internet 62,000 stolen emails and passwords, without disclosing the source.
The Citigroup breach was the latest in a rash of cyber crime in recent months.
“There’s a boom of online theft, just like there was a boom in train and bank robberies,” said Amrit Williams, a former security consultant now with behavioral research firm Quantivo Inc. “We just don’t have the law enforcement to deal with it in the way that results in an acceptable level of risk.”
Citigroup said it had put in place “enhanced procedures” to prevent another security lapse, though it didn’t elaborate.
The bank began sending notifications to affected cardholders June 3, and it has reissued credit cards for more than 217,000 accounts. Some accounts were closed. It reassured customers that they would not be liable for any losses stemming from the breach.
Citigroup also notified government and law enforcement officials and then, citing ongoing investigations, wouldn’t disclose how the breach occurred.
Fox criticized companies in general for failing to protect their data better and for not being more transparent with their customers and the public about the attacks.
“They are asking us to trust them, but obviously with the data breaches happening within the last three months, they are not taking it seriously enough,” he said.
He said Citigroup should not have waited a month to start notifying customers about the breach. Beth Givens, director of consumer advocacy group Privacy Rights Clearinghouse in San Diego, agreed.
“From the perspective of the affected individual, one month is a long time,” Givens said.
Meantime, hackers want to capitalize on their theft through phishing and other fraudulent schemes, said Stan Stahl, president of security management firm Citadel Information Group Inc. in Los Angeles.
“They have 300,000 names, email address, account numbers of some kind. There are lots of ways they can make money out it,” Stahl said.