Citi admitted today that 200,000 customer bank card accounts had been compromised by hackers. From Suzanne Kapner at the Financial Times:
The U.S. bank on Wednesday revealed details of the breach, which it said it discovered in early May through routine monitoring, after being questioned by the Financial Times. The bank said that about 1 percent of its card customers were affected. Citi Cards has about 21 million customers in North America, according to the bank’s annual report.
The breach occurred at Citi Account Online, which holds basic customer information such as names, account numbers and email addresses. Other information such as birth dates, Social Security numbers and card security codes are held elsewhere and were not compromised, Citi said.
So far, the bank is saying only credit card accounts were compromised, but the Financial Times story casts doubt on that assertion:
Citi said the breach affected credit card accounts only, but several people that the FT spoke to said their debit cards were compromised. These people said they did not learn of the problem until they tried to use their cards at the weekend and had the transactions denied. Citi said it had been contacting customers whose information was involved.
This episode is troubling for a couple of different reasons. The first is this breach occurred at a major bank. Usually hackers target less-secure, secondary holders of banking information, as they did with Michaels Stores a few weeks ago.
Second, the breaches happened in early May, but Citi is just now getting around to reporting them to the world. The bank says it has been notifying customers whose information was compromised, but it seems inexcusable that they wouldn't go public with this until more than a month after it happened. It's especially bad if some of the cards compromised really turn out to be debit cards, which have much weaker liability protections for account holders under current law than credit cards do.
If you're a Citi accountholder, it's critical you watch your statements for the next few months and keep an eye out for notifications from Citi.
What do you think? Are all you Citi accountholders out there concerned? Should Citi have gone public earlier?