Another Major Hack; Citibank The Latest Victim

  on
File photo shows a Citibank sign at a bank branch in midtown Manhattan, New York
A Citibank sign is seen at a bank branch in midtown Manhattan, New York in this November 17, 2010 file photo.

The big corporation hacking continues to roll on; Google, Sony, Lockheed Martin, PBS, Episilon and feel free to add Citibank to the mix.

Citibank announced approximately 200,000 credit card customers in North America have had their names, account numbers and email addresses stolen via a hack to their online account site. Citibank, which has issued 21 million credit cards in North America, said the hack affected only one percent of its customers. The bank said it is in the process of contacting those customers.

Citibank, which is based in New York City, said it discovered the problem during routine monitoring. It didn't give an estimate of the exact number of people affected; but most reports say it is around the 200,000 mark. The bank said hackers did not get access to social security numbers, birth dates, card expiration dates or card security codes.

Over the past year, major corporations have increasingly been victimized by high profile hacks. Sony on numerous occasions has had its servers hacked and customer data has been illegally accessed. Google's Gmail was hacked from China this past month. PBS's website was hacked and false information was posted on it. These are just a few examples.

Tim Armstrong, security expert at Security News Daily, said many large-scale corporations have lax security posture. He said it has become so easy for a motivated group or individual to find a way in, it's trivial. Another security expert, John Ottman, chief executive of Application Security Inc., told the Associated Press that hackers are realizing large corporations don't protect their databases well.     

Like Sony before it, Citibank has received criticism for failing to report the hack immediately. The Financial Times was actually the first source to report the news, and Citibank didn't confirm it until afterwards. Data breaches of large corporations, and their failure to report it, has gotten attention from Capitol Hill. Senator Patrick Leahy (D-VT) pushed for the Personal Data Privacy and Security act to get passed this week.

The many recent and troubling data breaches in the private sector and in our government are clear evidence that developing a comprehensive national strategy to protect data privacy and security is one of the most challenging and important issues facing our country, Leahy stated.  The Personal Data Privacy and Security Act will help meet that challenge, by better protecting Americans from the growing threats of data breaches and identity theft.

Included in his law would be stiff penalties for companies such as Citibank and Sony, which fail to immediately report a data breach.

As far as what Citibank customers should do in the mean time, Chester Wisniewski, a senior security advisor at security firm Sophos, has a few suggestions for the victimized customers.

Customers affected by this incident should be on high alert for scams, phishing and phone calls purporting to be from Citibank and their subsidiaries. While Citi customers aren't likely to have fraudulent charges against their accounts as a result of this breach, they are likely to encounter social engineering attempts to enable further crime. Considering that the attackers have your name, account number and other sensitive information they are able to provide a very convincing cover story to victims, Wisniewski said.

Follow Gabriel Perna on Twitter at @GabrielSPerna

Join the Discussion