Citi Credit Card Breach Risk Was Anticipated

Citigroup does not know how the computer breach revealed Thursday which affected hundreds of thousands of its credit card customers took place, but such an event fell in line with a risk the company outlined to shareholders in its publicly available annual report in March.

"During routine monitoring, we recently discovered unauthorized access to Citi's Account Online," Citigroup said in a statement.

The disclosure was revealed as the company is making online and mobile devices services more common.

Among the mobile solutions the company has launched in 2010 were an integrated Cards/Bank application for iPhone and for Android devices, "which provides customers with anywhere, anytime access to their bank and credit card account information."

The company also launched a text banking service that delivers account updates on demand to mobile devices, as well as providing social media customer service through Twitter.

Citigroup told the Financial Times on Thursday that an early May breach exposed 1 percent of its North American customers' account numbers, contact information and email addresses, but did not compromise birth dates, social security numbers, card expiration dates and card security codes. The discovery was made in Early May through routine monitoring, the company said. Customers affected are being contacted. The company has 21 million card customers in the region, according to its 2010 Annual report.

Such an event of that type was not wholly unanticipated. The report outlined numerous risk factors for shareholders including computer system problems despite what it says are measures taken to protect data in line with legal requirements.

"Citigroup's computer systems, software and networks may be vulnerable to unauthorized access, loss or destruction of data (including confidential client information), account takeovers, unavailability of service, computer viruses or other malicious code, cyberattacks and other events that could have an adverse security impact," the company stated.

As to whom the culprits could be in such vulnerabilities, the company outlined a wide range of possibilities, ranging from external to internal threats.

"Despite the defensive measures Citigroup has taken, these threats may come from external actors such as governments, organized crime and hackers, third parties such as outsource or infrastructure-support providers and application developers, or may originate internally from within Citigroup," the company said.

The adverse impact on the company itself was equally wide-ranging. Citi said such events "could result in reputational damage, financial losses, regulatory penalties and/or client dissatisfaction or loss."

Information security and the protection of confidential and sensitive customer data "are a priority" for the company.

Citigroup said its security systems are being implemented in accordance to the law, noting it has in place an Information Security Program in accordance with the Gramm-Leach-Bliley Act and regulatory guidance."

The ISP "is reviewed and enhanced periodically to address emerging threats to customers' information," Citi said.