As featured in The Wall Street Journal, Money Magazine, and more!
     

Updated: Hackers Steal Credit Card Numbers From 360,000 Citi Customers

This article was written by in Privacy and Security. 14 comments.


The latest big business security breach affected Citigroup and about 1% of the company’s credit card customers. Hackers were able to access the customer database, finding customers’ names, credit card numbers, and email addresses free for the taking. The hackers were not able to gain access to other personal information, like Social Security numbers, card verification numbers, or birth dates. The company has started contacting affected customers.

It’s unlikely that customers whose numbers and names are significantly more susceptible to identity theft as a result of this breach, because Citi kept the more sensitive information secure. It may still be a god idea to change your password if you have online access to a Citi credit card. In cases like these, there is little that customers can do to avoid being included in a data breach short of opting out of the finance industry overall. If you never sign up for a credit card, you prevent hackers from stealing your information. Once you’re in “the system,” you have to rely on banks to protect your information appropriately.

As a result of this breach and the continual development of technology, financial institutions may soon find new regulations that require even stricter security for online access. Some financial institutions now offer options for their customers to authenticate via a SecurID — technology that uses wireless networks to provide a unique code over the air that must be verified before you can access your account. In my role at my former job, I accessed banking institutions on behalf of the company, and every bank required a different wireless device. This could be where the consumer market is heading — and if it is, it’s going to make even more sense to simplify your finances.

Additional information: According to the Wall Street Journal, Citigroup waited up to three weeks after the incident before notifying customers. The delay was due to an investigation into the issue.

Update: Of the 360,000 accounts breached, only 3,400 accounts were subject to fraudulent charges by the hackers. Customers are not responsible for fraudulent charges, though the total loss on Citi’s side due to the fraud is $2.7 million.

Yahoo Finance / AP, CNN Money

Updated December 22, 2011 and originally published June 27, 2011. If you enjoyed this article, subscribe to the RSS feed or receive daily emails. Follow @ConsumerismComm on Twitter and visit our Facebook page for more updates.

Email Email Print Print
avatar
Points: ♦127,365
Rank: Platinum
About the author

Luke Landes, also known as Flexo, is the founder of Consumerism Commentary. He has been blogging and writing for the internet since 1995 and has been building online communities since 1991. Find out more about him and follow Luke Landes on Twitter. View all articles by .

{ 14 comments… read them below or add one }

avatar Bobka ♦13 (Newbie)

Flexo, you are correct. The banking industry is very vigilant, but sometimes there are security breeches. When I worked in that industry, hackers were continually trying to get into our systems. The time really has come for the financial institutions to invest in better information security.

Regarding online access, ETrade offers what appears to be effective added security through a remote device that flashes a six digit numerical code that must be added to your online password before you are allowed into an account. That code changes about every thirty seconds. It seems to be one of the better and more customer friendly methods of securing accounts.

Credit card magnetic strip technology is dated and somewhat insecure, too. Card issuers will soon need to upgrade to the more secure European style cards.

All this change will take money to accomplish. So we probably will see higher banking fees or account deposit minimums as a result.

Reply to this comment

avatar Investor Junkie

Bobka,

You are incorrect as RSA (the dongle you are referring to) was themselves hacked.

http://www.pcworld.com/businesscenter/article/222559/after_rsa_breach_are_securid_tokens_in_jeopardy.html

While securid’s can be more secure, not if other basic security policies aren’t in place.

Reply to this comment

avatar Bobka ♦13 (Newbie)

Thank you for the information. Looks like it is time for ETrade to upgrade its security.

Reply to this comment

avatar Ceecee ♦796 (Dime)

There was an episode of American Greed on CNBC that featured a master hacker and he got hundreds of thousands of debit card numbers. Since seeing that, I feel like nothing is secure. I’m sticking with a credit card, since it has more protection against loss.

Reply to this comment

avatar wylerassociate ♦905 (Dime)

i change my passwords every 3-4 months but now most banks & companies require passwords to be some alphanumeric combination. Nothing is secure, it’s just trying to be as vigilant as a person can be.

Reply to this comment

avatar Investor Junkie

Changing passwords every 3-4 months does not make you more secure. Make sure you:
- have a unique password per site/account
- use a password manager
- make sure they are random
- make sure your desktop is up-to-date and secured

Unless the their system itself is hacked, changing the password every 3-4 months does nothing to make it more secure.

Reply to this comment

avatar DonnaFreedman ♦2,441 (Dollar)

This could be a huge hassle for someone who travels a lot. If your card were hacked while you were out of e-mail/phone contact, you’d wind up red-faced at a restaurant or shop saying, “No, there must be some mistake. Run the card again.”
A couple of years ago the system at one of my card companies was “compromised” and the card canceled without warning. Or, rather, they “warned” me by sending me a letter three days after the fact. I was red-faced at a sandwich shop.
Right now I’m in the middle of a two-month trip. Hope my card wasn’t among those hacked. I better go check. I’ve never relied on just one card, mind you, but this could be a big hassle.

Reply to this comment

avatar lynn ♦155 (Cent)

Citi kept the more sensitive information secure????? All of the info should be kept secure.

Reply to this comment

avatar skylog ♦368 (Nickel)

that is what i was thinking. one, how can i be expected to believe them? two, why is not everything “secure?”

Reply to this comment

avatar qixx ♦1,813 (Half-Dollar)

I had Discover once send me a new card because they were unsure if someone got into one of their databases. Turned out to be nothing but they already sent out new cards with new numbers.

Reply to this comment

avatar blissfool

Well, they’ve found out how the hackers got access to the account and account information… and it’s really sad. And it wouldn’t have mattered how secure your passwords were or if you were changing it every minute.

“Basically after you logged into your account as a Citi customer, the URL contained a code identifying your account. All you had to do was change around the numbers and boom, you were in someone else’s account.” — http://con.st/10019856

Ugh! Unbelievable. They could have probably created an initial account for themselves.

Reply to this comment

avatar wylerassociate ♦905 (Dime)

I think the banking industry is doing everything it can to protect customers’s account information online but it’s a situation where hackers are always 5 steps ahead & that unfortunately will not change.

Reply to this comment

avatar Tyson Demick

Unforntuately this is going to be an on going problem. As systems get smarter so will the hackers in a never ending cycle. Cold hard physical cash must be looking good?

Reply to this comment

avatar Daniel Hong

Although, in this case, it was the system getting stupider. ;D

Reply to this comment

Leave a Comment

Connect with Facebook

Note: Use your name or a unique handle, not the name of a website or business. No deep links or business URLs are allowed. Spam, including promotional linking to a company website, will be deleted. By submitting your comment you are agreeing to these terms and conditions.

Notify me of followup comments via e-mail. You can also subscribe without commenting.

Previous post:

Next post: