Major U.S. banks came under growing pressure from banking regulators to improve the security of customer accounts after Citigroup Inc became the latest high-profile victim of a cyber attack.
While Citigroup insisted the breach had been limited, experts called it the largest direct attack on a major U.S. financial institution, and said it could prompt an overhaul of the banking industry's data security measures.
The Federal Deposit Insurance Corp, the nation's primary regulator, is preparing new measures on data security. Its chairman Sheila Bair said on Thursday she may ask some banks to strengthen their authentication when a customer logs onto online accounts.
Citigroup said late on Wednesday that computer hackers breached the bank's network and accessed the data of about 200,000 credit-card holders in North America. It would not discuss what new security measures Citi is taking.
The third-largest U.S. bank waited more than a month before making the full extent of the breach public, drawing criticism on Thursday from lawmakers and lawyers.
Citigroup is the latest in a growing list of companies that have suffered cyber attacks, including Sony, Google Inc and Lockheed Martin. The bank also has faced problems with customer security before. In April, a massive data breach at the email marketer Epsilon exposed the names and email addresses of customers at many large U.S. companies and banks, including Citigroup. And a 2008 attack on a Citigroup computer server let hackers withdraw at least $750,000 from the bank's cash machines in New York City.
Security experts said the latest attack may be a watershed moment for the U.S. banking industry, which until now has suffered fewer direct hacker attacks than retailers.
We're getting to the tipping point in terms of the number of fraud cases, said Gartner Research security analyst Avivah Litan.
As regulators weigh whether to require more spending on security, this could be the straw that breaks the camel's back, she said.
Citigroup spokesman Sean Kevelighan said on Thursday that the bank would replace the majority of the credit cards affected by the data breach. The bank said its attackers viewed the names of customers, account numbers and contact information, including e-mail addresses.
Citigroup said other information such as birth dates, social security numbers, card expiration dates and card security codes (CVV) were not compromised.
Debit cards were not affected, Kevelighan said Thursday.
The Financial Times reported on Wednesday that the bank discovered the breach in early May.
Kevelighan on Thursday told Reuters that once the bank became aware of the attack, we immediately took steps to monitor the impacted customers accounts. But he would not further explain the bank's decision to delay making the breach public, citing security reasons.
Like Sony, which has declared several security breaches of its networks this year, Citi has already started to come under fire for not telling customers sooner.
Representative Mary Bono Mack is preparing legislation to ensure faster notification to customers, her spokesman told Reuters.
Representative Jim Langevin, who follows cyber issues closely, said that data breaches were a fact of life but that companies had to inform customers.
I was shocked by the report that Citigroup knew that their customers' data was potentially exposed back in early May, but is only now, a full month later, informing the public about this threat to their personal information, he said in a statement.
Ira Rothken, a San Francisco-based attorney who represents plaintiffs in hacking cases, said his firm is investigating whether the information compromised in the Citi breach has led to any secondary intrusions against impacted customers.
If a bank can't keep data secure, it's going to have a chilling effect not only on the banking industry, but on ecommerce, Rothken said.
Cyber attacks at banks could dampen customers' enthusiasm to pay for things online or with their phones. Many banks, including Citigroup, are trying to develop ecommerce and mobile payments projects in the hopes of generating more revenue from U.S. customers.
Other large U.S. banks have a better record of informing and helping customers whose data has been compromised, according to the payments consulting firm Javelin Strategy and Research. Bank of America Corp, Discover Financial Services and US Bancorp all scored higher than Citigroup a year ago when Javelin assessed how well the top U.S. lenders dealt with potential data compromises affecting their customers.
Banks' strong preference is to handle things themselves and not get the customer involved until the bank believes that they've handled all the important parts of the investigation, Javelin founder James Van Dyke said.
I don't think that makes sense when dealing with potential identity fraud, he said.
Kevelighan would not discuss how Citigroup's breach had occurred. Another Citi spokesman, James Griffiths in Hong Kong, said the breach had affected 1 percent of North American card customers, which the bank's annual report says total 21 million.
Banks can be particularly attractive targets for cyber criminals, Bair said on Thursday. It's kind of a constant. It's one of the many risks that you have to deal with.
Federal banking regulators last updated their guidance on Internet banking security standards in 2005.
The regulators proposed an update to those standards in December 2010, saying they were increasingly concerned that customer authentication methods implemented several years ago may no longer be effective ... (and) have also become aware that some institutions have failed to perform periodic risk assessments and update their control mechanisms appropriately.
Such updated standards would likely have more of an impact on small banks than on big financial companies, which already spend heavily on data security protection, said Aite Group analyst Julie Conroy McNelley.
But updated federal guidance for banks is something that is long overdue, she said.
(Reporting by Maria Aspan; additional reporting by Ross Kerber in Boston, Diane Bartz in Washington and Dan Levine in San Francisco; editing by John Wallace, Gunna Dickson and Stella Dawson)