Problem: Cardholders' Information at Citigroup Hacked

On May 10, 2011, Citigroup, a 200-year-old U.S. financial services institution with more than 200 million customer accounts in 160 countries, discovered a breach in their credit card information systems. Bank officials believed that about 200,000 credit cardholders, or 1 percent of its customers, were affected. Within 24 hours the company launched an internal investigation to determine the cause of the breach and to assess the significance of the damages. The investigation took 12 days to complete. The investigation concluded that names, account numbers, and e-mail addresses were exposed, but more sensitive data, such as Social Security numbers, credit card expiration dates, and the three-digit security code located on the back of the cards, were not accessed. It also discovered that more than 360,000 cardholder accounts, more than three times the originally estimated 100,000, had been breached. The bank alerted law enforcement agencies and customers.

In a notification letter, mailed on or shortly after June 3, Citigroup reassured customers that they would not be held liable for fraudulent charges. The company also offered customers free identity theft protection assistance if they believed that they were a victim of improper use of their card or of identity theft. The bank also provided replacement cards, with new numbers. Public notification of the security breach occurred on June 9. Citigroup customers were outraged; not only at the security breach, but that it took the bank three weeks to notify them of the risk that criminals might be able to access their credit card information. Consumer advocates accused Citigroup of dragging its feet before notifying customers that some of the data had been compromised. "Every minute that passes after a hacker gains access to customers' confidential information means a greater risk of both monetary and identity theft," said Mandeep Khera, an executive at an online security firm. Khera said that Citigroup "had done a disservice to customers because of the delay."

In response, the bank reported that it had taken appropriate measures to protect certain customers by sending out an internal fraud alert to all those customers deemed at risk. The company did not disclose the criteria used to determine which customers were perceived as being at risk. A Citigroup spokesperson also explained that the figures provided were always rough estimates and the discrepancy regarding how many accounts were exposed could be attributed to an increase in the number of its credit card accounts and other factors. It was later reported that customers lost $2.7 million due to the cyberattack. The bank reimbursed customers for these losses. Once the breach was made public, Citigroup security experts joined federal authorities, including the Secret Service and the FBI, in continuing investigations into how the bank was attacked. They discovered that hackers had infiltrated a "garden variety" security hole in the company's website for credit card users that was so common it was listed as one of the top 10 risks compiled by the Open Web Application Security Project. The New York Times reported that hackers had used a technique that allowed them to leapfrog from account to account on the Citi website by changing the numbers in the URLs that appeared after customers had entered valid usernames and passwords. The hackers wrote a script that automatically repeated the exercise tens of thousands of times. "That's an easy attack to detect and they just didn't do it," said the chief executive officer of Aspect Security.

"It's really a common flaw." Citi reported that it had implemented additional enhanced procedures to prevent similar incidents from happening in the future. Some security experts suggested that Citigroup's response was reasonable. By discovering and investigating the breach internally and before making a public statement, the bank was able to report verified information to calm customers' fears, especially for those whose data were not compromised. The Senate banking committee announced that it would hold hearings on data security prompted by Citigroup's experience since this security breach followed other attacks, such as at Sony, RSA Security, and Lockheed Martin. A few days before the Citigroup attack, the International Monetary Fund reported that it had been hit by "a cybersecurity incident." These attacks were fueling concerns among financial regulators and security experts that banks and other organizations were not doing enough to protect themselves and their customers and other stakeholders. In addition, the Federal Deposit Insurance Corporation, which regulates the nation's banks, announced that it was pushing for stronger account security measures at those institutions. The agency also reported that it was "developing additional guidance to enhance authentication procedures when customers access their online accounts." Unfortunately, three months later, Citigroup announced another security breach involving 92,400 customers at its Japanese unit. The cardholders' names, account numbers, phone numbers, and birthdates were illegally sold to a third party.

Discussion Questions

1. Did Citigroup act quickly enough to inform customers of potential vulnerabilities to customers' funds and identities, or should the bank have waited, as it did, until the internal investigation was completed?

2. If you were a credit card customer, would you feel secure that banks, such as Citi, are adequately protecting your personal information and guarding against criminals accessing your money or stealing your identity?

3. What role should government play in protecting individuals against hackers acquiring sensitive personal information, or should this remain the responsibility of the companys storing the information?

4. Are hacking incidents simply a way of life in the information age or should our sensitive, personal information be better protected?