Robert Galbraith/Reuters
12:49 p.m. | Updated Citigroup acknowledged on Thursday that unidentified hackers had breached its security and gained access to the data of hundreds of thousands of its credit card customers in North America.
“During routine monitoring, we recently discovered unauthorized access to Citi’s account online,” the bank said in an e-mailed statement. “We are contacting customers whose information was impacted.”
The bank said about 1 percent of its North American credit card holders had been affected, putting the total count of customers exposed in the hundreds of thousands, based on its annual report for 2010, which said it had about 21 million credit card customers in North America.
While information concerning customers’ names, credit card numbers, addresses and e-mail addresses was exposed, the bank said that data like the “Social Security number, date of birth, card expiration date and card security code were not compromised.”
Citi is notifying cardholders who have been affected via mail, as well as via their online accounts. Most customers will also received a replacement card, the company said.
“Citi has implemented enhanced procedures to prevent a recurrence of this type of event,” the bank said. “For the security of these customers, we are not disclosing further details.”
While no group has claimed responsibility for the breach, it is part of a spate of recent cyberattacks.
Sony has reported a series of assaults on its PlayStation network and several Sony Web sites — one hacker site says there have been 18 so far — after the company sued, and then settled with, a programmer who had cracked the PlayStation code. Other attacks have hit PBS, Fox and an F.B.I. affiliate known as Infragard. And most worrying of all, perhaps, they compromised the security system of RSA, maker of the popular SecurID.
But none of those breaches appears to pose as direct a threat to consumers as the one reported by Citi. A spokesman for the bank said that only credit card customers had been affected, not debit card holders, and that law enforcement had been alerted.
The Financial Times earlier reported the breach.
Two people associated with the hacker collective Anonymous said they did not believe the group was involved.
“Anonymous kind of moved off the banks,” one said, adding that it was “because they were bored.”
Anonymous has become known for prominent denial-of-service attacks that disable and deface the Web sites of companies the hackers dislike; for example, the group disrupted service at Visa and MasterCard after they stopped allowing donations to WikiLeaks.
“For-profit attacks are always foreign,” one of the people said. “I’ve never heard of an American group doing that. You can deface a Web site, but once you start stealing money … we understand the FBI. They can kick your door down for downloading torrents.”
Citigroup was reported to have been breached by hackers tied to a Russian group in 2009, and before that in 1995.
One of the members of Anonymous questioned Citigroup’s security as the bank described it on its Citi Card site, saying the 128-bit encryption the bank boasts of is “really not that big a deal.”
“Two-hundred-and-fifty-six bit would take someone a lifetime to decrypt,” the person said. “The security is so weak right now, if you know a couple attacks, you can just go around and see what works.”
Article source: http://feeds.nytimes.com/click.phdo?i=e5b18760f5e312a43a8a211ce4e132cb