Stolen from Citigroup, one of the world’s largest banks with 21 million U.S. customers, is bankcard holders’ names, account numbers, and contact information such as e-mail addresses. The only good news is social security numbers, birth dates, and card verification codes were stored on non-compromised systems, Citi says. The hack occurred in early May and the company only came clean when the Financial Times broke the story this morning (registration required). Citi says it is in contact with law enforcement officials.
Why Citi was Quiet About Hack
Ondrej Krehel’s, Chief Information Security Officer for data risk management firm Identity Theft 911, says delaying the release of details is sometimes necessary and “depends on multiple factors, including forensic investigations discovering the scope of the hack and what data’s been taken. Law enforcement can also request a delay. Each state statue has different notification requirements, however.”
Speaking to Reuters, a Citi representative said the company has “implemented enhanced procedures” to avoid the hack happening again.
Citi says it’s contacted customers affected but despite the statement that only credit card details were stolen, the Financial Times says it’s spoken to individuals who’ve had their debit cards cancelled too. The first customers knew was when their cards were declined at retail outlets — embarrassing, and hardly the best way to learn of such things.
2011: The Year of the Hack?
There’s been a wave of hack attacks on high-profile targets recently, such as Sony, Gmail and defense contractor Lockheed Martin, but the hacking of a bank is a rarity. Bank websites usually employ bullet-proof security, Krehel says.
“These portals are constantly monitored and scanned internally for open vulnerabilities. However, hackers who discover just one open hole get access. Corporations perform many technical assessments to measure and close their exposure, but it seems that hackers still find ways to exploit the systems.”
Hacking is Evolving into Something Different
Hackers appearing to be evolving as a species, says Krehel.
“Hacking these days is about monetization of data — making a profit in the underground cyberworld. Perhaps that is why we no longer see site defacement being popular as the focus has shifted to consumer data, with the most favorite choice being financial data.”
In March email marketing firm Epsilon Interactive was hacked and details for Citigroup account holders were stolen, amongst others. It’s not clear if that hack was a jumping-off point for May’s attack.
Although names, account numbers and emails will not give cybercriminals access to account data, it does make possible effective phishing attacks. Criminals could include a customer’s card number in the email, for example, which could be enough to convince them to follow a link to a bogus Website setup to capture yet more details.
With perfect bad timing just days before the hack took place, Citigroup’s head of global enterprise payments (and former head of its credit card unit) — Paul Galant — told Reuters in April that “security breaches happen … the mission of the banking industry is to keep the customer base safe and customers feeling secure about their financial transactions and payments”. He added that Citigroup spends “a tremendous amount of money on security. We take it very, very seriously — I don’t know that there’s a way we could take it more seriously.”