Citi admits customer data at risk after breach

Citigroup has acknowledged that a computer breach may have given hackers access to the data of hundreds of thousands of bank card customers.

The US bank on Wednesday revealed details of the breach, which it said it discovered in early May through routine monitoring, after being questioned by the Financial Times. The bank said that about 1 per cent of its card customers were affected. Citi Cards has about 21m customers in North America, according to the bank’s annual report.

The breach occurred at Citi Account Online, which holds basic customer information such as names, account numbers and e-mail addresses. Other information such as birth dates, social security numbers and card security codes are held elsewhere and were not compromised, Citi said.

The bank said it had contacted law enforcement officials and tightened its fraud detection procedures, but declined to provide further details or to say whether customers had reported suspicious transactions.

Citi said the breach affected credit card accounts only, but several people that the FT spoke to said their debit cards were compromised. These people said they did not learn of the problem until they tried to use their cards at the weekend and had the transactions denied. Citi said it had been contacting customers whose information was involved.

Hacking into companies is becoming increasingly common. Lockheed Martin, PBS and Sony have all recently had their security systems violated. But analysts said bank systems were considered very secure and it was unusual for a financial institution to experience such a breach directly. More common is for account information to be stolen indirectly, such as at Michaels Stores, the US retailer, where debit card check-out terminals were tampered with.

“For the actual breach to happen at a bank is a very big deal,” said Avivah Litan, an analyst with Gartner Research.

Regulatory guidelines issued in 2005 state that banks should notify their primary regulator in the event sensitive customer data is breached. The guidelines do not require banks to notify customers if doing so would compromise the investigation of law enforcement officials. The Office of the Comptroller of the Currency, Citi’s primary regulator, was unavailable to comment.

The good news for consumers is that any money stolen from either their credit or debit card account is recoverable.

“The bad news is they are incredibly inconvenienced,” Ms. Litan said.

Copyright The Financial Times Limited 2017. All rights reserved. You may share using our article tools. Please don't cut articles from FT.com and redistribute by email or post to the web.