Attacks/Breaches
6/9/2011
10:33 AM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Citibank Hacked, Some 200,000 Credit Card Numbers Exposed

Citi's North America Account Online system breached

The breach goes on: Citibank today became the latest in a string of high-profile businesses in the past few weeks to report it had been hacked, with some of its customers' personal information exposed.

A Citibank spokesperson says early last month the company discovered that its Citi North America Account Online's system, which contains information on all of its North American customers, had been infiltrated.

"During routine monitoring, we recently discovered unauthorized access to Citi’s Account Online. A limited number -- roughly one percent -- of Citi North America bankcard customers’ account information (such as name, account number and contact information including email address) was viewed. The customer’s social security number, date of birth, card expiration date and card security code (CVV) were not compromised. We are contacting customers whose information was impacted. Citi has implemented enhanced procedures to prevent a recurrence of this type of event. For the security of these customers, we are not disclosing further details," the spokesperson said in an email response.

Citi has some 21 million cardholders in North America, which would mean that 200,000 or so were compromised based on its estimate of 1 percent. The bank is contacting those account holders, and would not elaborate on what security measures it had taken or how the attackers got inside.

Given that no CVV codes, expiration dates, birth dates, or social security numbers were exposed, that's good news for initial fraud possibilities. But phishing and social engineering attacks against the affected Citi customers are the biggest threats, experts say.

Sophos analyst Chester Wisniewski warns that Citi customers whose accounts were breached should be on the lookout for these types of scams. "Considering that the attackers have your name, account number and other sensitive information they are able to provide a very convincing cover story to victims," he said in a blog post today. "Never accept incoming communications purporting be from financial institutions you do business with, whether by email or phone call. Call them back using only the phone numbers published on your cards or statements. When logging in to perform online transactions, always enter their website address directly in your browser. Never click links."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is Senior Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise Magazine, ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-4988
Published: 2014-07-09
Heap-based buffer overflow in the xjpegls.dll (aka JLS, JPEG-LS, or JPEG lossless) format plugin in XnView 1.99 and 1.99.1 allows remote attackers to execute arbitrary code via a crafted JLS image file.

CVE-2014-0207
Published: 2014-07-09
The cdf_read_short_sector function in cdf.c in file before 5.19, as used in the Fileinfo component in PHP before 5.4.30 and 5.5.x before 5.5.14, allows remote attackers to cause a denial of service (assertion failure and application exit) via a crafted CDF file.

CVE-2014-0537
Published: 2014-07-09
Adobe Flash Player before 13.0.0.231 and 14.x before 14.0.0.145 on Windows and OS X and before 11.2.202.394 on Linux, Adobe AIR before 14.0.0.137 on Android, Adobe AIR SDK before 14.0.0.137, and Adobe AIR SDK & Compiler before 14.0.0.137 allow attackers to bypass intended access restrictions via uns...

CVE-2014-0539
Published: 2014-07-09
Adobe Flash Player before 13.0.0.231 and 14.x before 14.0.0.145 on Windows and OS X and before 11.2.202.394 on Linux, Adobe AIR before 14.0.0.137 on Android, Adobe AIR SDK before 14.0.0.137, and Adobe AIR SDK & Compiler before 14.0.0.137 allow attackers to bypass intended access restrictions via uns...

CVE-2014-3309
Published: 2014-07-09
The NTP implementation in Cisco IOS and IOS XE does not properly support use of the access-group command for a "deny all" configuration, which allows remote attackers to bypass intended restrictions on time synchronization via a standard query, aka Bug ID CSCuj66318.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Marilyn Cohodas and her guests look at the evolving nature of the relationship between CIO and CSO.