Multinational financial service provider Citigroup appears to be snake-bitten by security problems, and not just through Web hacking.
Eight weeks after a hacker cracked its credit card database, the company's credit card unit in Japan, Citi Card, reported in a message to its user base Aug. 5 that "certain personal information of about 92,400 customers has allegedly been obtained and sold to a third party illegally."
This breach, however, apparently did not involve online hacking. Citigroup told police that a person involved in a company to which Citi Cards outsourced part of its business had illicitly obtained the information and sold it to a third party.
Information made vulnerable includes account numbers, names, addresses, phone numbers, dates of birth, gender and the date the account was opened. Citi revealed that personal identification numbers and security codes (CVV, or Card Verification Value, data) were not compromised.
Despite the data theft, no unauthorized use of the cards had been reported by the end of business on Aug. 5, the Kyodo News reported.
On June 15, Citigroup reported in a letter to customers that 360,083 credit card accounts were accessed as a result of an online data breach. Citigroup originally reported June 9 that "roughly 1 percent" of its 21 million credit card accounts had been accessed by hackers, or about 210,000 accounts.
As a result of that attack, Citi disclosed that hackers stole $2.7 million from about 3,400 customers in North America in May following a major data breach. Citi was criticized for not reporting the breach sooner.
eWEEK Senior Writer Fahmida Rashid contributed to this story.