Citigroup Hack Gains Access To Customer Data


Citigroup is the latest victim of a burst of recent corporate hacks, saying late Wednesday its systems were targeted by miscreants who compromised the accounts of more than 200,000 bank card holders.

The Citigroup hack , first reported by The Financial Times, was initially detected in early May, affecting about 1 percent of its 21 million card holders.

Thus far, it is unclear how the breach occurred. Currently, Citigroup is working with law enforcement officials to determine details of the incident while enhancing fraud procedures to prevent a similar attack.

“We are contacting customers whose information was impacted. Citi has implemented enhanced procedures to prevent a recurrence of this type of event,” a Citi spokesperson said. “For the security of these customers, we are not disclosing further details.”

The bank said it also plans to issue replacement credit cards to customers possibly affected by the breach.

The compromised information included customer names, account numbers, and other contact information such as e-mail addresses, according to The Financial Times.

However, other personally identifying information, such as customer dates of birth, social security numbers, card expiration dates and CVV codes, were not compromised in the hack, Citi said.

Security experts say that while the compromised information isn’t sufficient for fraud or theft, enough card holder data was leaked that could be used in phishing attacks and other social engineering schemes.

“A significant amount of cardholder data was leaked, including names, account numbers and e-mail addresses, all of which could be used as social engineering context to attempt to gain access to other key information needed to monetize the already stolen account information, through methods such a phishing,” said Mike Paquette, chief strategy officer at Top Layer Security.

The recent Citi breach has elicited increased scrutiny from the FDIC and other regulators, and could possibly compel a systemic overhaul of the banking industry’s security and data protection systems that go beyond compliance, according to Reuters.

The banking industry has been targeted few times in major cyber attacks, in part due to stringent regulations requiring advanced security and compliance measures.

Citigroup is the latest in a long string of high-profile victims, including Sony , Google and
Lockheed Martin to come under siege in a targeted cyber attack in recent weeks.

Troy Gil, security analyst at AppRiver, said that it seemed unlikely that the Citigroup hack was related to the previous attacks on Google and Lockheed Martin.

“Those attacks were performed by a group of individuals who typically communicate their undertakings in a prompt manner, and no ownership of the Citigroup attack has been communicated at this time,” he said.

However, security experts contend that the continuous trend of high-profile attacks indicates that hackers are becoming more deliberate and technologically advanced in their methods, and highly skilled at social engineering. Paquette said that phishing attacks have become increasingly more targeted, using personalized information to establish trust with the victims and trick them into handing over sensitive data.

As such, cyber criminals are often able to successfully execute more high-profile attacks.

Next: Need For Comprehensive Response Cited

“Even reasonably savvy cardholders can be tricked into providing additional information if the phishing e-mail or phone call they receive from a fraudster already knows their name, the card number and their e-mail address,” he said.

Fred Touchette, senior security analyst at AppRiver, said that at the very least, organizations needed to implement multiple layers of protection, including firewalls, Web filtering and antivirus with a heuristic testing engine in order to reduce the risk of attack.

"The Citigroup breach is not a standalone indication that more attacks agaisnt the financial sector are imminent," he said. "Instead, it reminds users and institutions alike to remain vigilant abouth the information shared and stored online."