Monday, June 13, 2011
A Citi spokesman sent the following statement about the breach to The Green Sheet, "During routine monitoring we recently discovered unauthorized access to Citi's Account Online. A limited number – roughly one percent – of North America Citi-branded credit card customers' account information (such as name, account number and contact information including email address) was viewed.
"The customer's Social Security number, date of birth, card expiration date and card security code (CVV) were not compromised. We are in the process of sending notification letters to customers whose information was impacted. Citi has implemented enhanced procedures to prevent a recurrence of this type of event. For the security of these customers, we are not disclosing further details."
Citi waited a month to tell customers their personal data was stolen. In May 2011, Sony PlayStation Network had the credit card information of more than 100 million customers stolen but waited days before telling anyone of the theft.
The decision to wait to notify its customers of a breach where their personal information was plundered has been a public relations headache for Sony. The company continues to generate criticism from federal lawmakers, industry analysts and consumers. Legislators such as Rep. Mary Bono Mack, R-Calif., and Sen. Daniel Patrick Leahy, D-Vt., are introducing new legislation to supersede the data breach reporting requirements of 47 states. Leahy's bill, introduced in early June, would also make it a crime to conceal data breaches.
Banks have been criticized for how slowly they have moved to protect personal information they collect. Federal Deposit Insurance Corp. Chairwoman Sheila Bair, upon hearing of the data theft, immediately called for stronger authentication procedures for online accounts.
One reason banks have been slow to react to data theft is the monetary losses are not considered statistically significant. Fraud losses have actually been declining with industry estimates currently pinning fraud costs at about 5 cents for every $100 charged.
An Identity Theft Resource Center report issued June 7, 2011, just two days before Citi reported its theft, found half way through the year there were only 17 bank breaches. The report said banks represented only 8.7 percent of all the known breaches in the United States in 2011. Those banks had only 19,348 records stolen representing only 0.2 percent of all the data stolen so far this year – up until the Citi breach.
Banks can also profit after a data theft. Some banks will impose chargeback fees on merchants and force the retailers to cover the cost of the inventory lost to fraud after a breach.
Security specialists report there is little data thieves can do with the information stolen from Citi. "There is very limited, if any, fraud that can be performed by the attackers with just [a] credit card number alone," Senior Vice President of TrustWave's SpiderLabs Nicholas Percoco said. "While the fact that credit card numbers were breached makes news, without track, expiration date and/or [card verification number] that number is basically worthless. The real concern is, have customers been targeted with other types of attacks using the name, address, email [or other] info that was breached?"
Percoco indicated he was confident the more sensitive information was secure on other Citi systems that were not attacked and speculated the Citi attack originated from a customer or customer account.
The Green Sheet Inc. is now a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals. Click here for more information.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.
