Citigroup Reports Another Card Breach

Eight weeks after a hacker cracked Citigroup’s credit card database, the company’s credit card unit in Japan, Citi Card, reported in a message to its user base on 5 August that “certain personal information of about 92,400 customers has allegedly been obtained and sold to a third party illegally”.

This breach, however, apparently did not involve online hacking. Citigroup told police that a person involved in a company to which Citi Cards outsourced part of its business had illicitly obtained the information and sold it to a third party.

No unauthorised use

Information made vulnerable includes account numbers, names, addresses, phone numbers, dates of birth, gender and the date the account was opened. Citi revealed that personal identification numbers and security codes (CVV, or Card Verification Value, data) were not compromised.

Despite the data theft, no unauthorised use of the cards had been reported by the end of business on 5 August, the Kyodo News reported.

On 15 June, Citigroup reported in a letter to customers that 360,083 credit card accounts were accessed as a result of an online data breach. Citigroup originally reported June 9 that “roughly 1 percent” of its 21 million credit card accounts had been accessed by hackers, or about 210,000 accounts.

As a result of that attack, Citi disclosed that hackers stole $2.7 million (£1.6m) from about 3,400 customers in North America in May following a major data breach. Citi was criticised for not reporting the breach sooner.