More than 360,000 North American credit cards were exposed in May when
an attack on Citigroup infiltrated that company’s card account
management website according to a report by IDG News.
The breach exposed the names, account numbers, and contact information of account holders, but not other personal information such as Social Security Numbers, dates of birth, and card expiration dates, according to the report.
Citigroup declined to provide further information on the attack, citing an on-going investigation. The company has thus far failed to explain how the breach occurred and how the company plans to keep such breaches from occurring in the future, prompting criticism from Connecticut Attorney General, George Jepson.
The New York-based financial services company initially disclosed the breach last week, claiming that only 210,000 accounts had been compromised. The company acknowledged a 20-day gap between when it became aware of the breach and when notification letters were sent to those affected.
Citi is the latest in a growing line of financial and e-commerce companies to suffer such breaches. Back in May, Finnish authorities arrested 17 individuals in connection with an attack in Nordea Finland’s online banking system. Other financial companies have suffered breaches in recent years as well, as hackers focus their energy on high-value targets to yield the more lucrative data.
As with banking itself, much of the fraud has moved online according to a 2011 study by the Business Banking Trust. The issue of attributing blame in these compromises is proving to be a contentious one as well, with a number of cases making their way through Federal and state courts questioning whether customers or the banks are to blame lapses in security.
On Thursday, BITS, a group made up of executives of leading financial services firms, published a report on malware that urged financial services companies to share more information about attacks and breaches with their counterparts, and to adopt better methods for detecting and responding to malware and other security incidents.