Hackers attack Citi, access data of over 200,000 bank accounts

Hackers attack Citi, access data of over 200,000 bank accounts

Summary: Citi is the latest corporation to end up on the list of big companies hacked so far this year. The bandits were able to access sensitive data belonging to over 200,000 bank card accounts in North America.

SHARE:
TOPICS: Banking, Security
22

Citigroup is the latest corporation to end up on the list of big companies hacked so far this year. The bandits were able to access sensitive data belonging to over 200,000 bank card accounts in North America.

This incident is just another in a long string of highly-publicized hacking attempts this year, including attacks on Sony's PlayStation Network, Gmail accounts in China and, most recently, Nintendo.

The Financial Times reports that the breach was actually discovered a little over a month ago in early May, but it has only become public knowledge now.

However, it might not be as bad as it might seem just yet. First, the amount of customers affected is only one percent of Citigroup in North America. Sure, that's a considerable amount of people, and it would be unfortunate to end up in that group. But this isn't exactly on the same scale as the attack on the PlayStation Network in April. That was worldwide, affected millions and more sensitive information was at risk.

Citi affirmed that the only types of information that leaked were customer names, account numbers, contact info and email addresses. Citi added that social security numbers, birth dates, card expiration dates and card security codes were not at risk...at least not yet.

Citi spokesman Sean Kevelighan told Reuters in an email:

We are contacting customers whose information was impacted. Citi has implemented enhanced procedures to prevent a recurrence of this type of event...

For the security of these customers, we are not disclosing further details.

It's understandable that Citi wants to protect its customers (even though there was obviously a loophole somewhere), but many more questions that should be addressed remain unanswered - especially as to how this all happened.

Surely if you're a Citigroup member whose information was at risk in this incident, Citi reps will call you with instructions, but it's always a good idea to be proactive and take steps to protect your identity at all times.

Related coverage on ZDNet:

Topics: Banking, Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

22 comments
Log in or register to join the discussion
  • It gets harder every day

    I know a little bit about Citi's IT, and they have as good a cadre of security professionals as anyone on the planet. They take this stuff very seriously.

    This is less likely to be a case of "Amateur Night at IT" or someone asleep at the switch than it is the sheer difficulty of human beings thinking of everything that could possibly go wrong, in a world where equally clever human beings are trying on purpose to make things go wrong.

    It's like the Army's never-ending contest between the makers of armored vehicles and the makers of armor-piercing shells. On any given day one or the other will be ahead... but not for long.
    Robert Hahn
    • RE: Hackers attack Citi, access data of over 200,000 bank accounts

      @Robert Hahn I'd bet money it's a third-party call center. I worked for a short time in one that did business with many of the big banks, and the security there was awful, worst I'd ever seen in my career. I was on calls with folks from the big banks to discuss security. They had extensive designs the call center was supposed to follow.

      The call center didn't do any of it, though -- but they told them they did. It was incredibly unethical, first time I was on one of those calls I was flabbergasted. I ended up leaving after only a few months. I couldn't look myself in the mirror working there.
      lkjlkjadf
    • RE: it gets harder

      I don't know about their security team, but at least a few years ago their general IT services team suffered from the same problem that every other Citi department was failing at: integration. Citi was built by mashing together hundreds of completely separate businesses and it did an absolutely *horrible* job integrating them. They were great at sticking a logo on the window and replacing the letterhead, but from what people I knew who worked there told me, the integration between business units was so poor that it took real (manual!) effort to generate even simple reports like account holdings for institutional clients. This was more than five years ago, so maybe there's been major improvement since then, but the worst thing for security professionals is complexity, and a few years back Citi was nothing but complexity.
      scripter
    • RE: Hackers attack Citi, access data of over 200,000 bank accounts

      @Robert Hahn
      Don't forget, citigroup was at near extinction just 3 years ago. They have had massive layoffs over the last 3 years. I'm sure the confusion of exiting staff and new staff to take over existing security models have had their share of confusion and problems. Like most companies they probably have 1 staff doing the work of 3 and we all know how well that will work. I have been a citibank customer for more than 2 decades. And in the last couple of years, there have been countless amount of goofs and problems. For example, 30% of my online checks that I cut didn't make it to the party that I directed them to in 2009. Of course they just blame the post office.
      rengek
  • I would suggest citi customer close their account, and re-open one

    Account info, name, address, email leak is serious enough for your account be compromised.

    Hacker will do:
    1. Send you a letter/statement pretending from bank, ask for your signature.
    2. Using your info/signature to require transfering money from bank.

    These things happens.
    FADS_z
  • Message has been deleted.

    LoverockDavidson
    • RE: Hackers attack Citi, access data of over 200,000 bank accounts

      @LoverockDavidson

      Doubtful. Probably SQL injection brought to you by Microsoft SQL. Or some POS Windows server running somewhere.
      itguy08
      • RE: Hackers attack Citi, access data of over 200,000 bank accounts

        @itguy08

        Yes, SQL injection attacks where SQL Stored Procedures are used to expressly prevent the risk of SQL injection attacks. You are brilliant!

        And I suppose by your logic, cloud computing is the way of the future, hmmmmmmmmmm?
        Raid6
      • How can this be?

        @itguy08: [i]Doubtful. Probably SQL injection brought to you by Microsoft SQL. Or some POS Windows server running somewhere.[/i]

        ABMers have told us Windows isn't used for any serious work. How do you explain this contradiction to that?
        ye
      • SQL injection can be to any database

        @itguy08
        It is fabricated sql query, which manipulates data. Can be dangerous in web application/cloud computing.
        FADS_z
      • Hey, itguy08

        @itguy08

        Please explain how someone can run MS SQL Server on a Solaris server? WINE???

        http://searchdns.netcraft.com/?host=citibank.com
        SonofaSailor
      • RE: Hackers attack Citi, access data of over 200,000 bank accounts

        @iFADS_z
        you just went over his head. It's a long break at MickeyD's..
        ItsTheBottomLine
    • RE: Hackers attack Citi, access data of over 200,000 bank accounts

      They must have been using linux
      LoverockDavidson
      • RE: Hackers attack Citi, access data of over 200,000 bank accounts

        @LoverockDavidson
        Yep! Most of their systems consist of Linux. Now we know which is the reat POS!
        eargasm
      • RE: Hackers attack Citi, access data of over 200,000 bank accounts

        @windozefreak
        You sure about that? Let's see your proof.
        ScorpioBlue
      • RE: Hackers attack Citi, access data of over 200,000 bank accounts

        @LoverockDavidson great reply LD, absolutely one of your best! Well done ol sport, well done indeed!
        T-Wrench
  • how about using cash machines

    does anyone know how this would affect people using Citi Bank cash machines but not having an account with Citi Bank
    mick54@...
  • Death To Hackers

    Death To Hackers
    Bruceeverett
  • High time for Identity Theft law changes

    Since these folks are incapable of securing the data of our accounts with them, it seems to me that they have no excuse for not accepting the blame when it come to identity theft. You didn't apply for that home loan, why should you be shouldered with trying to prove it wan't you. They gave out the loan, it should be on their hands.
    rwalla@...
  • First hand experience

    I have an old "dormant" credit card account with Citi. Don't use it. However, recently received an email stating my account password was attempted multiple times and, therefore, they locked my account. To verify the authenticity of the email, they provided a phone number, etc. I've spotted some scams before, but they had this one nicely formatted, no spelling errors, etc. When I dialed the phone number, I was asked to enter my NINE DIGIT Social Security number. Hung up.
    ChanticoSkky77