20110609-Citibank-2011

06/09/2011 Citibank

a Financial or Insurance Services firm in New York, New York
360,000 accounts compromised
 
Hackers have managed to access the information of approximately 1% of Citibank’s 21 million users. U.S. Customer names, account numbers, and contact information were exposed. Security codes and dates of birth were not exposed. The breach occurred sometime in May 2011.
 
UPDATE(6/13/2011): Citibank released an official statement on the Citigroup website.
 
UPDATE(6/14/2011): It has been revealed that hackers obtained customer names, account numbers and transaction information by logging into the customer credit card site and guessing the account numbers of other customers. Since the account number appeared in the web address browser bar, simply altering an account number allowed the hackers to access a different account. The hackers also utilized an automatic computer program to guess account numbers quickly. This incident appears to have occurred in early May.
 
UPDATE(6/14/2011): Connecticut Attorney General George Jepsen asked Citigroup Inc. to provide more information about the data breach. Jepsen feels that more information about the types of account information exposed, the cause of the breach, the steps taken to notify affected individuals and the steps to prevent future breaches is needed. He requested the additional information by June 22.
 
UPDATE(6/16/2011): The number of affected individuals has been raised from 210,000 to 360,000. Further investigation of and information about the breach revealed that the breach was discovered on May 10. By May 24, Citigroup officials concluded that the data thieves had captured names, account numbers, and email addresses of about 360,000 customer accounts. Social Security numbers, expiration dates, and three-digit security passwords found on the back of credit cards were not exposed.
 
UPDATE(6/24/2011): At least 3,400 of the customers whose credit card information was stolen have suffered a combined loss of $2,700,000.
 
UPDATE(09/03/2013): Citibank has agreed to pay $15,000 in civil penalties to Connecticut’s Privacy Protection Guaranty and Enforcement Account and $40,000 to the General Fund of Connecticut. Citibank will also hire a third party to conduct an information security audit of the Account Online section of Citibank’s website.
 
Customers may call 888-640-4982 for more information.

 
 

Return to 2011 details page
Year links page
Return to References page