Even more striking is that similar data breaches have been occurring for years — and the financial industry has failed to prevent them.
Details remain scarce, but the disclosure of the Citigroup breach on Thursday quickly turned into a debate on whether the banks and major credit card companies had invested enough money to safeguard the personal information of their customers.
“They’re not at all on top of it,” said Avivah Litan, a financial security analyst at Gartner Inc. “It’s almost shocking.”
In Washington, the finger-pointing has already begun. Sheila C. Bair, the chairwoman of the Federal Deposit Insurance Corporation, said on Thursday that she planned to call on some banks to strengthen their authentication procedures when customers log onto online accounts. That’s on top of new data security rules that federal regulators are completing.
Lawmakers, meanwhile, said they were outraged that Citigroup waited since early May to notify its customers; some are preparing legislation.
Representative James R. Langevin, a Rhode Island Democrat, said he was “shocked and disappointed” to learn of Citi’s delayed disclosure. “They knew the customers’ data was potentially exposed in May and only now are they telling them about the threat,” he said. “Being more forthcoming is essential.”
Consumers, meanwhile, are feeling increasingly vulnerable amid recent reports of data breaches at big companies, like Lockheed Martin, Epsilon and Sony.
A. J. Angus, a 25-year-old Google employee, was put in double jeopardy. On Thursday, he learned that his Citi credit card data had been stolen. Only a few weeks earlier, he learned that personal data on his Sony PlayStation 3 was compromised.
“You have to be vigilant,” he said, adding that he periodically checks his credit report and looks over his transactions almost daily on a personal finance Web site.
On Thursday, Citigroup began notifying about half of the 200,000 affected customers that it planned to replace their credit cards after it discovered last month that hackers had gained access to its computer systems. The bank said that the thieves obtained customer names, card numbers, addresses, and e-mail details.
Social security numbers, expiration dates and the three-digit code found on the back of most credit cards were not compromised — a move that security experts say makes the exposed cardholders less likely to become fraud victims.
Neither Citigroup’s debit card business nor its online banking operations were breached.
“Citi has implemented enhanced procedures to prevent a recurrence of this type of event,” the company said in a statement.
The intrusion is not all that unique. Over the last six years, there have been 288 publicly disclosed breaches at financial services companies that exposed at least 83 million customer records, according to the Identity Theft Resource Center.
Credit card industry officials say security issues go to the heart of their brands and they are trying to keep up with ever-more sophisticated criminals.
“We’re not dealing with 14-year-old hacker kids,” said Steve Elefant, the chief information officer at Heartland Payment Systems, which overhauled its security measures after the systems it used to process credit and debit card transactions were hacked in 2008. “We’re talking about 21st-century bank robbers — sophisticated, organized criminal gangs, located mostly in Eastern Europe and the U.S.”
Making matters worse, nearly every step along the payment chain is outsourced from the time a card is swiped to the time a monthly statement arrives, leaving plenty of openings for enterprising thieves. Security is further hampered by a patchwork of data protection laws and regulatory agencies, each with limited mandates.
“We need a uniform national standard for data security and data breach notification,” said Representative Mary Bono Mack, a California Republican who is pushing for legislation on better consumer safeguards. “In the meantime, regulators need to do a better job of being a consumer watchdog.”
Tara Siegel Bernard, Riva Richmond and Nelson D. Schwartz contributed reporting.
Article source: http://feeds.nytimes.com/click.phdo?i=f5ec1251b3ecae6d752d066ae311c687