Citigroup’s revelation that hackers stole personal information from more than 200,000 credit card holders makes it one of the largest direct attacks on a major bank.
Even more striking is that similar data breaches have been occurring for years — and the financial industry has failed to prevent them.
Details remain scarce, but the disclosure of the Citigroup breach Thursday quickly turned into a debate on whether the banks and major credit card companies have invested enough money to safeguard the personal information of their customers.
“They’re not at all on top of it,” said Avivah Litan, a financial security analyst at Gartner Inc. “It’s almost shocking.”
In Washington, the finger-pointing has already begun. Sheila C. Bair, chairwoman of the Federal Deposit Insurance Corp., said Thursday that she planned to call on some banks to strengthen their authentication procedures when customers log onto online accounts. That’s on top of new data security rules that federal regulators are finalizing.
Lawmakers, meanwhile, said they were outraged that Citigroup waited since early May to notify its customers; some are preparing legislation.
Rep. James R. Langevin, D-R.I., said he was “shocked and disappointed” to learn of Citi’s delayed disclosure. “They knew the customers’ data was potentially exposed in May and only now are they telling them about the threat,” he said. “Being more forthcoming is essential.”
Consumers, meanwhile, are feeling increasingly vulnerable amid recent reports of data breaches at big companies, like Lockheed Martin, Epsilon and Sony.
A.J. Angus, a 25-year-old Google employee, was put in double jeopardy. On Thursday, he learned that his Citi credit card data had been stolen. Only a few weeks earlier, he learned that personal data on his Sony Playstation 3 was compromised.
“You have to be vigilant,” he said, adding that he periodically checks his credit report and looks over his transactions almost daily on a personal finance website.
On Thursday, Citigroup began notifying about half of the 200,000 affected customers that it planned to replace their credit cards after it discovered last month that hackers had gained access to its computer systems. The bank said the thieves obtained customer names, card numbers, addresses, and email details.
Social security numbers, expiration dates, and the three-digit code found on the back of most credit cards were not compromised — a move that security experts say makes the exposed cardholders less likely to become fraud victims.