Citigroup hit by another data breach, as 92,000 Japanese customers affected

News by Dan Raywood

Citigroup has confirmed that customer information has been obtained and sold to a third party illegally.

Citigroup has confirmed that customer information has been obtained and sold to a third party illegally.

According to an advisory, the Japanese division Citi Cards Japan (CCJ) said that personal information of 92,408 customers, including account numbers, names, addresses, phone numbers, date of birth, gender and the date the account was opened was breached.

However it said that security information, including PIN numbers and card security codes (CVVs) had not been compromised.

It said: “CCJ immediately reported the inappropriate sale to the relevant authorities and the police and has been cooperating fully with the investigation. While the risk of fraud is minimal due to the absence of security information, CCJ has placed internal fraud alerts and enhanced monitoring on all accounts identified and no unusual or suspicious credit cards transactions relating to these customers have been detected at this point.

“CCJ is taking necessary actions to contact all the customers affected by letter and its

homepage. CCJ will re-issue credit cards should affected customers wish to do so. Should any fraudulent transactions occur, affected customers will not be held responsible. CCJ takes the safeguarding of customers' information seriously and will take firm action against parties involved in the information theft.”

Citigroup was hit by a breach of around 200,000 North American customers in June of this year, when its network was hacked. In that instance, sensitive information such as birth dates, social security numbers, card expiration dates and card security codes (CVV) were not compromised.

Talking to SC Magazine, Imperva CTO Amichai Shulman, said that there were notable similarities between this case and the T-Mobile incident from 2009, where customer data was sent to third parties by a rogue employee.

He said: “Looking at the language used by Citi, there seems to have been no method to try and identify the breach and it sounds like they know who is responsible for it. This is not an application vulnerability as it was in June and it sounds like someone inside as all of the language suggests it.”


Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews