Citigroup: 360,083 Credit Card Accounts Compromised

Citigroup officials are saying now that 360,083 credit card accounts were accessed in the data breach this month, far more than the 210,000 they originally estimated.

Citigroup released the revised tally in a letter to customers June 15. The release came after Connecticut Attorney General George Jepsen said the company was not giving out enough information about how the breach occurred and how customers should be protected.

Citigroup originally reported June 9 that “roughly one percent” of its 21 million credit card accounts had been accessed by hackers, or about 210,000 accounts. New cards have been re-issued to 217,657 account holders.

"Some accounts were not re-issued credit cards if the account is closed or has already received new credit cards as a result of other card replacement practices," said Citigroup. The company will continue monitoring those accounts for suspicious activity. Internal fraud alerts and enhanced monitoring were placed on all accounts “deemed at risk” as soon as the breach was discovered.

Citigroup discovered the breach May 10, but only began sending out notification letters June 3. Company officials defended the delay, saying they needed to analyze “millions of pieces of data” to determine the cardholder impact. Citigroup is taking "every necessary action to ensure our customers are cared for," the company said.

According to the customer letter, Citigroup had confirmed the full extent of the breach by May 24.

Citigroup didn't disclose any new facts about how the attack occurred, citing the "security of our customers" and "the ongoing law enforcement investigation."

The cyber-attackers compromised user accounts by simply inserting account numbers into the URL of the Web portal for Citi credit card customers, The New York Times reported June 13. The attackers first logged on to the Web portal for Citi credit card customers using a legitimate account. Once logged in, they “leapfrogged” between various accounts by directly inserting various account numbers into the URL displayed in the Web browser’s address bar, the Times reported. The attack used a script that automatically modified the URL “tens of thousands of times” to capture private data, according to the Times.

Flaws in online customer portals are not unusual, even for banking sites, Nicholas J. Percoco, senior vice president of Trustwave’s SpiderLabs, told eWEEK. Most of these flaws are found when someone is authenticated to the system, as opposed to just visiting the Webpage, making it possible that a customer account may have been compromised to launch the initial attack.

Organizations need to test their customer-facing sites for security issues from “an unauthenticated point of view,” Percoco said. Otherwise, “they are not identifying critical vulnerabilities that an attacker with a user name and password to a customer portal can exploit.”

Attackers stole account information including names, account numbers and contact information, such as email addresses. Customers’ Social Security numbers, dates of birth, card expiration dates and card security codes were not accessed. Citigroup reassured customers that the main card-processing system and other Citi banking online systems were not accessed or compromised.

Sensitive data such as expiration dates and security codes are generally not stored in a customer account portal, said Percoco.

While the information stolen won’t allow cyber-criminals to access funds directly from user accounts, Citigroup has promised customers they won’t be liable for any unauthorized activity on their accounts that may arise from the breach.

Citigroup provided a state-by-state breakdown of affected customers. Most of the victims—80,454 of them—live in California. Texas was the second-most affected, with 44,134 customers, followed by Illinois with 30,054 victims, New York with 25,312 and Florida with 20,303. It appears only North American Citi-branded card users were affected.