Citigroup Hack Toll Higher Than First Thought

Matthew Broersma,
data security

About 360,000 Citigroup credit cards were affected by last month’s hack, nearly double previous estimates

Citigroup has revealed that about 360,000 credit cards were affected by a security breach in May, about 80 percent more than the bank’s previous estimates had indicated.

In a statement released on Wednesday night, Citigroup said a total of 360,083 Citi-branded cards in North America were affected.

Higher figure

Previously the group had said roughly 1 percent of its 21 million North American cardholders were affected, amounting to about 200,000 customer accounts.

Citigroup representatives said the larger figure was partly due to the fact that some customers have more than one card account.

The bank said it has replaced the cards of about 217,000 customers as a result of the attack. Other affected customers were already having their cards replaced for other reasons or were closing their accounts, Citigroup said.

The new facts were released as several US state regulators opened inquiries into the breach, joining investigations by federal authorities including the Secret Service and the FBI.

About 80,000 accounts in California were affected, the highest number of any state.

Customer data

The bank discovered the breach on 10 May and began an investigation. The breach was publicly disclosed on 9 June.

Citigroup has said the thieves captured customers’ names, account numbers and email addresses but did not obtain social security numbers, card expiration dates or the security numbers found on the backs of cards, meaning the data would be insufficient to commit fraud.

The company did not release new facts about how the attack occured, but said it is taking “every necessary action to ensure our customers are cared for”.

The breach has exposed concerns about how Citigroup reacted to the hack.

According to the FT, a number of customers only discovered the issue last weekend when their card transactions were denied. This raises concerns about Citigroup’s notification procedures, a fact not helped by the startling lack of information on its websites.

The Citi Account Online website, for example, still does not have a notification of the breach on its landing page as of Thursday afternoon, and neither does the front page of the group’s main site.

Whilst hacking attacks are becoming all too common nowadays as evidenced by the Playstation Network hack last month, it is relatively rare for hackers to succeed in breaching a bank itself, as they usually use the latest and greatest security methods.

Instead, hackers often target the retailers or partners that store large caches of credit card numbers. That said, the TJX hack in 2007 or Heartland Payment Systems in 2009 reportedly exposed more credit card accounts than the 212,000 Citigroup accounts.