Citi Guarantees Restrain in Disclosing Hacking

Jun 17, 2011 Mortgage Information

Citigroup Inc. anticipated as long as three weeks to alert credit-card customers of a hacking attack because it was operating an investigation and originating replacement cards, according to a person familiar with the situation.

It took from 10 to 12 day to the internal investigation to begin the discovery by Citigroup officials in early May that the New York bank’s systems had been breached, this person said. In some cases, Citigroup took action to protect accounts considered vulnerable to fraud.

Citigroup openly admitted the security attack last Thursday, saying it affected about 200,000 customers, or 1% of the company’s card users in North America. The company said it had referred the matter to law-enforcement authorities and planned to send replacement cards to a majority of the affected customers.

Some critics have attacked Citigroup officials of pulling their feet in expressing customers that some of their data has been compromised. The Senate banking committee is planning hearings on data security. The breach follows other attacks that are increasing concerns among financial regulators and security experts that banks and other companies aren’t doing enough to protect themselves and their customers.

“Every minute that passes after a hacker gains access to customers’ confidential information means a greater risk of both monetary and identity theft,” said Mandeep Khera, an official at Cenzic Inc.

Other targets of similar attacks include Sony Corp. and Lockheed Martin Corp. Security experts say financial institutions are a topmost target. On Saturday, the International Monetary Fund said it had been hit by “a cyber security incident.”

The person familiar with Citigroup’s response to the security breach said company officials responded to discovery of the attack immediately. In late May, the company announced week-long process for a mailing to notify the roughly 200,000 customers of the infringement and provide replacement cards to most of them. Customer notification and shipment of new cards started June 3, or six days before Citigroup publicly disclosed the hack attack.

Citigroup said the hackers acquired access to data such as names, account numbers and email addresses. The fissure didn’t compromise Social Security numbers, dates of birth, card security codes or expiration dates. Bank officials have said the data that was disclosed wasn’t enough to perpetrate fraud.

Before the official customer notification, Citigroup advanced to protect certain customers by sending out an internal fraud alert on all those customers consider at risk, the person familiar with the matter said.

Few experts recommended that Citigroup’s response was reasonable. By discovering and investigating the breach itself, Citigroup was able to “allay” customer fears about data that wasn’t compromised, said Joe Gottlieb, chief executive of SenSage Inc., a Redwood City, Calif., firm that produces software to reduce fraud and compliance risks.

 

 

 

Similar Posts:

Share

Tags: Hacking

This entry was posted on Friday, June 17th, 2011 at 11:37 am and is filed under Mortgage Information. You can leave a response, or trackback from your own site.

Leave a Reply

XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>