Citi says hackers access bank card data

[Richard Forno <rforno () infowarrior org>]

Citi says hackers access bank card data
 
By Maria Aspan and Narayanan Somasundaram

NEW YORK/SYDNEY | Thu Jun 9, 2011 7:17am EDT

http://www.reuters.com/article/2011/06/09/uk-citi-hacking-idUSLNE75800H20110609

(Reuters) - Citigroup Inc (C.N) said computer hackers breached the bank's network and accessed the data of about 
200,000 bank card holders in North America, the latest of a string of cyber attacks on high-profile companies.

Citi said the names of customers, account numbers and contact information, including email addresses, were viewed in 
the breach, which the Financial Times said was discovered by the bank in early May.

However, Citi said other information such as birth dates, social security numbers, card expiration dates and card 
security codes CVV.L were not compromised.

"We are contacting customers whose information was impacted. Citi has implemented enhanced procedures to prevent a 
recurrence of this type of event," Sean Kevelighan, a U.S.-based spokesman, said by email.

"For the security of these customers, we are not disclosing further details."

In the brief email statement, Citi did not say how the breach had occurred.

Another Citi spokesman, James Griffiths in Hong Kong, said the breach had affected 1 percent of North American card 
customers, which the bank's annual report says total 21 million.

But like Japanese electronics and entertainment group Sony, which has declared several security breaches of its 
networks this year, Citi could come under fire for not telling customers sooner.

"It may be the bank's business, but it's the consumer's personal information so consumers deserve to be told about 
security breaches immediately," said Dan Simpson, a spokesman for Australia's Consumer Action Law Centre, an advocacy 
group.

"It's hard to see any reason why this sort of breach couldn't have been disclosed much sooner."

GROWING CONCERN

Citigroup joins a growing list of companies that have suffered cyber attacks.

Data storage firm EMC Ltd (EMC.N) this week offered to replace millions of electronic keys after hackers used data from 
its RSA security division to break into the network of arms supplier and information technology provider Lockheed 
Martin (LMT.N).

Sony has reported several attacks, including one in which hackers accessed the personal information on 77 million 
PlayStation Network and Qriocity accounts.

Sony was criticised for a delay in telling account holders that their information had been stolen by hackers.

Google Inc (GOOG.O) last week revealed a major attack on its Gmail accounts targeting, among others, senior U.S. 
government officials that it said appeared to originate in China.

Washington has scrambled to assess if security had been compromised by the raid on Google's Gmail system, reflecting 
increasing concerns among global policymakers about cyber security.

Citi said it had discovered the unauthorized access at Citi Account Online, an online banking service, through routine 
monitoring.

"It's definitely a serious security breach when that amount of data's been stolen from a bank," said Sydney-based Ty 
Miller, chief technology officer of Pure Hacking, a network security company.

Citigroup global enterprise payments head Paul Galant, who previously ran the bank's credit card unit, said in April 
that security breaches are a fact of life for financial institutions.

"Security breaches happen, they're going to continue to happen ... the mission of the banking industry is to keep the 
customer base safe and customers feeling secure about their financial transactions and payments," he told Reuters in an 
interview. (Additional reporting by Abhishek Takle and Renju Jose in Bangalore and Sonali Paul in Melbourne; Editing by 
Vinu Pilakkott and Neil Fullick)
_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://datalossdb.org/mailing_list

Learn encryption strategies that manage risk and shore up compliance.
Download Article 1 of CREDANT Technologies' The Essentials Series:
Endpoint Data Encryption That Actually Works
http://credant.com/campaigns/realtime2/gap-LP1/