Hackers have breached Citigroup's banking network and accessed the data of about 200,000 North American customers.
According to Reuters, Citi said that the names of customers, account numbers and contact information, including email addresses, were viewed in the breach. However, it said that sensitive information such as birth dates, social security numbers, card expiration dates and card security codes (CVV) were not compromised.
Citi said it had discovered the unauthorised access at Citi Account Online, an online banking service, through routine monitoring but did not say how the breach had occurred.
Spokesperson Sean Kevelighan said: “We are contacting customers whose information was impacted. Citi has implemented enhanced procedures to prevent a recurrence of this type of event. For the security of these customers, we are not disclosing further details.”
Chester Wisniewski, senior security advisor at Sophos Canada, said: “Feeling secure is not the same as being secure. How this information was acquired and why it wasn't protected against theft is a far more important question.
“While Citi customers aren't likely to have fraudulent charges against their accounts as a result of this breach, they are likely to encounter social engineering attempts to enable further crime.
“Considering that the attackers have your name, account number and other sensitive information they are able to provide a very convincing cover story to victims.”
Mike Paquette, chief strategy officer at Top Layer Security, said: “It appears that the leaked Citigroup data was not in itself sufficient to be used directly for fraud or theft. This is the good news and suggests that Citigroup is using a solid information architecture for the storage of cardholder data.
It is not known if the leaked information was encrypted before being stolen as it is not yet been disclosed as to how the actual breach took place.”
Ron Gula, CEO of Tenable Network Security, said: “While in hacking situations like this there will never be a single point solution that could have mitigated such an attack, this case once again demonstrates the need for online services to deploy real-time vulnerability scanning.
“Maintaining a holistic view of networks is the simple step that can catapult an organisation to being well on the way to protecting customer cardholder data. As data breach headlines like this continue to flow and security requirements continue to grow, now is the time for IT departments and boardrooms alike to take a proactive view of regulation such as PCI.
“They also need to realise that proactively protecting customers' data may not be as complicated, costly or time consuming as they feared. Moving forward, the IT network management environment is only going to become more complex and challenging, both internally and externally, so system administrators must ensure they have a holistic view of their networks and can see what's happening, at every moment, to make sure they're not the next company to leak their customer's details.”