.png)
A Citibank office in midtown Manhattan, New York City. Global banking giant Citigroup Inc. is the latest corporate victim of online hacking attacks. (Spencer Platt/Getty Images)
NEW YORK—Global banking giant Citigroup Inc. is the latest corporate victim of online hacking attacks.
The New York-based bank admitted in a report Thursday in the Financial Times, after numerous inquiries, that the firm was subject to a sophisticated cyber security hacking attack last month.
The bank admitted that hackers may have compromised 1 percent of its customers, which is the equivalent of around 210,000 accounts according to tallies in its latest 10-Q filing with the Securities and Exchange Commission. Credit card account numbers, customer names and information could have been compromised, although PIN numbers, social-security numbers, and debit/credit card CVV codes were not taken.
Last month’s attack only affected credit card account holders, not bank account holders, Citigroup said. It is in the process of contacting cardholders Thursday.
“Citi has implemented enhanced procedures to prevent a recurrence of this type of event. For the security of these customers, we are not disclosing further details,” Citigroup said in an emailed statement.
Citigroup is the latest in a string of major corporations subject to such online attacks. Consumer electronics giant Sony Corp. was hacked in April by a group of hackers, which took down its PlayStationNetwork (PSN) online gaming platform, affecting more than 80 million customers.
Both Sony and Citigroup had not disclosed the hacking attack until some time after the alleged attack. Sony’s PSN was shut down for several days without reason, and Sony disclosed the attack several days after PSN initially became offline.
Last month, defense contractor Lockheed Martin Corp. was allegedly attacked by hackers from China. Last week, a hacker group named “LulzSec” hacked PBS.org and posted a fake story regarding decreased hip-hop artist Tupac Shakur being alive.
No hacker group has claimed the Citigroup attack as of Thursday.
Disclosure, Security Standards Questioned
A new bill in Congress, introduced by Sen. Patrick Leahy (D-Vt.), could criminalize companies concealing a cyber attack which puts customer information at risk. Experts argue that online information security is more important than ever as more confidential information is stored in remote servers on the Internet.
“The many recent and troubling data breaches in the private sector and in our government are clear evidence that developing a comprehensive national strategy to protect data privacy and security is one of the most challenging and important issues facing our country,” Sen. Leahy said in a statement.
The bill is known as Personal Data Privacy and Security Act of 2011 and it is co-sponsored by Charles Schumer of New York, and Al Franken of Minnesota.
Citigroup, in this case, delayed notifying customers until a month after the attacks, which was believed to have occurred in early May. In some instances, experts argue, it is wise to wait a few days to disclose such incidents in order to coordinate with law enforcement.
In light of the security breach, the Federal Deposit Insurance Corporation (FDIC), which guarantees bank deposits of member institutions, asked banks to increase their data security standards and technology to prevent such attacks.
FDIC Chairman Sheila Bair said her agency is in the process of developing new guidelines on the minimum data security standard for financial institutions.Shares of Citigroup (NYSE: C) were trading 2.3 percent higher at midday Thursday.
