Citi hacking spurs federal security move

The US Department of Homeland Security has joined with federal law enforcement to advise financial institutions on how to protect themselves from online attacks after a breach of Citigroup’s consumer credit card database.

The expanded investigation comes as documents filed by Citi to a state regulator and obtained by the Financial Times show that 360,069 credit card accounts were affected by the breach in the United States – or 80 per cent more than had previously been reported by the bank.

Citi had previously said 1 per cent of the 21m credit card accounts in North America were affected. It was widely reported that about 200,000 accounts were affected.

The DHS’s Computer Emergency Readiness Team “is working with federal law enforcement partners to develop and distribute mitigation measures to other financial sector partners”, department spokesman Chris Ortman told the Financial Times on Wednesday. The US Secret Service is the lead agency as part of its mission to defend currency and finance from counterfeiting and fraud.

More details are emerging about the cyberattack as Citi files reports with individual states that monitor security breaches.

A document filed on June 10 with the North Carolina attorney-general provided more information on the accounts affected and added details to the timeline. Citi said in that document that the breach was identified on May 10 and by May 17 “we identified most customer accounts impacted”.

By May 24, all customer accounts affected were identified, the Citi filing said. “We began notifying our customers of the incident June 3,’’ it said.

Citi began alerting states the next week, with letters sent by fax and overnight mail and received on June 10, following news reports of the breach.

Citibank said in a statement released on Wednesday that “none of the data breached was sufficient to perpetrate fraud”.

Three security experts who were involved with the investigation but declined to be identified, as they were not authorised to speak, said they believed the hackers impersonated legitimate customers by keying in strings of characters acquired from another site. The DHS advisory notice is likely to come through a secure channel aimed at banks, one official said.

There is no federal requirement about customer notification in the event of a security breach. Forty-seven states require some notification to customers; some states require separate notice to the authorities. In this case, a Citi spokesman said 14 states were required to be notified.

“We have taken steps to bolster the security of Account Online,’’ according to the notification letters signed by Jeffrey D Gednalske, associate general counsel, for Citigroup’s US banking unit.

Mr Gednalske did not elaborate on how Citi enhanced its security. His letter included a sample notice to customers that warned they would be responsible for monitoring their own accounts for up to two years because of the incident.

Security experts involved in the probe said the attack might not have taken advantage of a programming language vulnerability, but rather one regarding the way the site was administered.

For that reason, the advisory from DHS is likely to be issued through a secure channel aimed at other banks, rather than made public as a general warning to all website owners and users, an official said.

Copyright The Financial Times Limited 2017. All rights reserved. You may share using our article tools. Please don't cut articles from FT.com and redistribute by email or post to the web.