Citibank victimized by hackers, insists cardholders are safe

Filed Under: Data loss, Privacy

CitiCardReuters is reporting that Citibank's systems were hacked, resulting in a loss of Personally Identifiable Information (PII).

Citibank says that data for 1% of their cardholders was accessed through this breach, but customers' Social Security Numbers (SSNs), birth dates, card expiration dates and CVV codes are safe.

Information that may have been disclosed to the hackers includes customers' names, account numbers, contact details and email addresses.

According to Citibank's website they are the world's largest provider of credit cards, issuing more than 150,000,000 cards globally. Based on these numbers, information for 1,500,000 or more individuals may have been compromised.

In April Paul Gaulant, former head of the bank's credit card unit, told Reuters, "Security breaches happen, they're going to continue to happen ... the mission of the banking industry is to keep the customer base safe and customers feeling secure about their financial transactions and payments."

That may be true, but feeling secure is not the same as being secure. How this information was acquired and why it wasn't protected against theft is a far more important question.

Citi has stated they will notify customers believed to be affected by the breach.

Customers affected by this incident should be on high alert for scams, phishing and phone calls purporting to be from Citibank and their subsidiaries.

While Citi customers aren't likely to have fraudulent charges against their accounts as a result of this breach, they are likely to encounter social engineering attempts to enable further crime.

Considering that the attackers have your name, account number and other sensitive information they are able to provide a very convincing cover story to victims.

Never accept incoming communications purporting be from financial institutions you do business with, whether by email or phone call. Call them back using only the phone numbers published on your cards or statements. When logging in to perform online transactions, always enter their website address directly in your browser. Never click links.

Update: It has been confirmed that there are approximately 220,000 cardholders affected by this incident as it was limited to just US customers. The number above was based on all Citibank cardholders.

, , , ,

You might like

2 Responses to Citibank victimized by hackers, insists cardholders are safe

  1. Robert Wurzburg · 1520 days ago

    Citibank should be severely fined, and ordered to store all customer dat using SSL
    communication, authentication, and AES encryption of actual data on their servers.
    This type of hacking couldn't be accomplished by using SSL certificates installed on
    customers computers with public and private session keys, and hardware keys for
    authentication to identify legitimate customer computers and Citibank servers during
    a session setup.

  2. melissa · 1308 days ago

    My niece's citibank credit card was hacked into on Feb. 24th. Today is March 8th., they have done nothing to help. Over $2000 was stolen. From what we can tell, the card was used through Target in $200 increments all within a short timeframe. Citibank told her today that if she does not recieve her money by tomorrow, it can take anywhere from 60 to 90 days, with guarantee she'll get anything back.

    If this is the way Citibank does business, people should discontinue doing any type of business with them

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Chester Wisniewski is a Senior Security Advisor at Sophos Canada. He provides advice and insight into the latest threats for security and IT professionals with the goal of providing clear guidance on complex topics. You can follow Chester on Twitter as @chetwisniewski, on as Chester, Chester Wisniewski on Google Plus or send him an email at