Hackers Break in Citi Servers, Steal Credit Card Data

Jay Decenella, IT audit expert
June 09, 2011 /

Banking giant Citigroup has said in a statement Thursday that a group of computer hackers have penetrated its servers, stealing bank card data of more than 210,000 credit card holders in USA.

“During routine monitoring, we recently discovered unauthorized access to Citi’s Account Online. A limited number — roughly one percent — of Citi bankcard customers’ account information… was viewed,” Citi said in a statement.

The number represents about one percent of Citi’s 21 million clients, or more than 200,000. According to its 2010 annual report, Citi provides more than 21 million credit cards that generate more than $77 billion in receivables in North America, making it one of the banking industry’s biggest credit card providers.

The bank said any of its Asia-Pacific credit cards have not been compromised.

The card data breach comes hard on the heels of major breaches that racked large companies and financial institutions of late.

On May 27, Honda Canada warned around 280,000 customers of an unauthorized access of information to its 2009 records after spotting the breach into its Web server late in February.

At the same time, major Australian banks, including Commonwealth Bank, Westpac-owned St George Bank, National Australia Bank, and ANZ, were in red alert after discovering a potential card card breach following a compromise that initially struck an external merchant of St George.

Although Citi already said the data breach affected only credit cards, some customers told the Financial Times that they were having problems with their debit cards as well.

The data breach affected card data such as account numbers, customer names and contact information of Citi customers.

But the New York-based bank added that the hackers failed to gain access to customers’ Social Security numbers, dates of birth, card expiration dates, or card security codes. How these hackers infiltrated Citi’s servers remains unresolved.

Citi told Reuters newswire that it is “contacting customers whose information was impacted.”

The bank added that it “has implemented enhanced procedures to prevent a recurrence of this type of event,” though it refused to further comment on the issue for the security of these customers.

Citi was criticized for reporting the data breach late when it allegedly took place last month according to a report by the Financial Times.

According to Sophos senior security advisor Chester Wisniewski, the card data breach may further lead to social engineering attempts towards cyber crime while “Citi customers aren’t likely to have fraudulent charges against their accounts.”

Wisniewski warned customers about possible scams, phishing attacks, and phone calls purporting to be from Citibank and their subsidiaries.

“Considering that the attackers have your name, account number and other sensitive information they are able to provide a very convincing cover story to victims,” he said.

“Never accept incoming communications purporting be from financial institutions you do business with, whether by email or phone call. Call them back using only the phone numbers published on your cards or statements.

“When logging in to perform online transactions, always enter their website address directly in your browser. Never click links.”

 

Share your opinion