Citibank Confirms Fraud in Canada, UK, Russia Linked to Breach

A Citibank spokesperson says that some transactions in Canada, the United Kingdom and Russia are being blocked because of a past security breach.

A Citibank spokesperson has confirmed that the company is blocking some customer transactions in Canada, the United Kingdom and Russia because of fraudulent transactions stemming from a past security breach affecting Citibank customers.

The bank recently became aware of fraudulent ATM cash withdrawals on Citibank-branded MasterCard credit and debit cards in those countries and says the transactions are linked to accounts that may have been compromised in a security breaches at "retailers in the U.S.," according to an e-mail statement issued by Citibank. The statement is one more piece in a mounting pile of evidence that a large-scale security breach has exposed the information of U.S. consumers, though banks and credit card issuers have declined to comment on the case.

Citibank has been monitoring an undisclosed number of accounts as a result of the security breach. The bank recently began to notice a high number of fraudulent withdrawals in the United Kingdom, Canada and Russia, and set up policies to block PIN card transactions in those countries, according to Elizabeth Fogarty, a Citibank spokesperson.

Anecdotal accounts of Citibank customers being blocked from conducting ATM transactions outside the United States have appeared online in recent days.

Fogarty said the accounts that Citibank was monitoring were exposed in a "previous retailer breach," though she could not say how many accounts were exposed, or in which of the recent security breaches the accounts were compromised. The accounts could have been exposed in a number of attacks, including the massive breach at credit card processor CardSystems, or a breach at HSBC and Ralph Lauren in early 2005, she said.

A source at HSBC in Canada who asked not to be identified, citing company confidentiality, said that rumors about the breach were circulating in banking security discussion groups online but denied any direct knowledge of a breach.

Citibank is blocking the accounts of U.S. account holders whose accounts were potentially exposed and who attempt PIN-based transactions in Canada, the United Kingdom and Russia. Those account holders are being reissued cards, Fogarty said.

"Protecting our customers accounts and personal information is one of our highest priorities," she said.

Nevertheless, the steady drip of announcements from U.S. banks about debit and ATM card reissues and fraudulent activity related to a "security breach" at an unnamed "U.S. retailer" has raised suspicions that banks and credit card companies are covering up a major security lapse.

In February, Bank of America, MasterCard International and Visa all informed banks that a security breach at a U.S. retailer had exposed some customer accounts.

/zimages/5/28571.gifAt least one bank said that systems belonging to Wal-Mart Stores may be to blame. Click here to read more.

Bank of America was forced to shut down "numerous" debit cards as a precautionary measure against potential fraud. MasterCard notified banks that issue MasterCard cards to monitor for any suspicious account activity and take the necessary steps to protect cardholders.

/zimages/5/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzers Weblog.