The U.S. Federal Bureau of Investigation is probing a computer hacking that targeted Citigroup Inc and resulted in the theft of tens of million of dollars, The Wall Street Journal said, citing U.S. government officials.
Citigroup disputed the report and said customers had not lost money.
The cyber attack, believed to be linked to a Russian gang, was aimed at Citigroup's Citibank subsidiary, the paper said, adding it was unclear whether the hackers gained access to the bank's systems directly or through third parties.
Two other entities, including a U.S. government agency, were also attacked by hackers, the paper said, citing people familiar with the Citibank incident.
The attack on Citibank is believed to have taken place over the summer and was detected at that time, but investigators suspect it could have taken place up to a year earlier, the paper said.
Most financial institutions of this magnitude are working extremely hard to avoid this kind of thing and be out ahead of it, said Scott Vernick, a lawyer at Fox Rothschild LLP whose practice includes electronic data securities matters.
The problem is the criminals are working even harder, Vernick added.
Joe Petro, managing director of Citigroup's Security and Investigative services, said in an emailed statement, We had no breach of the system and there were no losses, no customer losses, no bank losses.
Any allegation that the FBI is working a case at Citigroup involving tens of millions of losses is just not true.
In Washington, an FBI spokesman said he had no information about the reported investigation.
The Wall Street Journal mentioned a Citibank customer who saw more than $1 million removed from his account and sent to banks in Latvia and Ukraine. The bank helped him recover most of the money and reimbursed him for the rest, the newspaper reported, adding that it was not clear whether the incident was part of the larger attack on Citigroup.
In a statement, the bank said it was an isolated case of fraud.
Citigroup also said that attacks are directed against companies globally, and while there had been attempts to interfere with the bank's systems, none had been successful.
But Fred Cate, director of the Center for Applied Cybersecurity Research at Indiana University, said, I don't want to sound alarmist ... but the evidence is just overwhelming today that attacks are successful in many instances, particularly socially engineered attacks.
(Reporting by Dan Wilchins in New York; additional reporting by Dan Margolies in Washington and Ajay Kamalakaran in Bangalore; editing by Valerie Lee and John Wallace)