Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

Citi: Hackers Got More Records Than We Thought

Citigroup on Wednesday said it had underestimated the number of accounts breached in a recent attack by 70%--but such revisions are not unusual, security experts say.

10 Massive Security Breaches
(click image for larger view)
Slideshow: 10 Massive Security Breaches
Citigroup on Wednesday released a statement saying that it had underestimated the number of accounts breached in a recent attack by 70%.

Initially, Citigroup estimated that 210,000 customers were affected, but now the company says the total number is 360,083 account holders, all based in the United States and using Citi-branded credit cards.

Attackers viewed cardholder account details, including names, account numbers, email addresses, and other contact information. But Citigroup said "data that is critical to commit fraud was not compromised," and that attackers didn't see social security numbers, dates of birth, card expiration dates, or card security codes (aka CVV numbers).

According to a timeline released by Citigroup, it discovered the breach on May 10, after routine monitoring, and immediately put fraud alerts and close monitoring on all accounts deemed to be at risk. Within a week, it had determined the majority of accounts affected.

By May 24, the company had confirmed which types of data had been accessed and begun preparing notification packages, manufacturing replacement credit cards, and training its customer service teams to handle related inquiries. Beginning on June 3, the company sent notification letters, which for 217,657 customers also contained replacement cards. Defunct accounts or accounts that had recently received a new card were excluded, though kept under greater monitoring.

To help prevent a similar type of attack from succeeding in the future, Citigroup said it's enhanced its security procedures, but declined to specify the changes, saying a law enforcement investigation is still underway. Citigroup also has warned customers to beware spear-phishing attacks that use the stolen information.

But given that Citigroup has now revised upwards the number of people affected by the breach--and may again do so in the future--is the company playing it straight?

Interestingly, in the vast majority of breaches--involving not only Citigroup, but also Sony and Epsilon, amongst many other recent incidents--the hacked organization invariably ends up revising upwards the number of affected records or accounts. "I can't think of a single example where it's gone the other way, where a company says, Hey it wasn't really 30 million compromised accounts, it was only 24 million," said data breach expert Larry Ponemon, chairman and founder of the Ponemon Institute, in an interview.

"What I've found is that that tendency to get something out quickly seems to be viewed by organizations as the ethical response, as in, 'We're still doing the investigation, but we wanted to let people know that they may be at risk,'" he said.

But moving quickly often leads to businesses releasing inaccurate information. In the case of Sony, for example, the company indicated that stolen information didn't include account data that could be used to commit fraud. Later, however, Sony disclosed that some credit card data had, in fact, been stolen.

There's also a business imperative for not moving too quickly. Ponemon said that based on his data breach research, companies that report breaches less than 30 days after discovering them tend to spend more on breach cleanup. Part of the increase in cost has to do with inefficiency. By moving too quickly, businesses risk having to issue multiple waves of data breach notifications, or not having time to properly train call center agents about how to respond to customers' related inquiries.

"The key isn't over reporting or under reporting, the key is to do it accurately," said Ponemon. "But it doesn't mean that organizations just shouldn't report for long periods of time--there's a balancing act between reporting too quickly, and then reporting too slowly."

Cybercriminals are not only exploiting small and midsize businesses--they're targeting them. In this Dark Reading Tech Center report, we identify how SMBs are exploited, where their security fails, and how they can shore up their defenses. Download it now.

 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/3/2020
Pen Testers Who Got Arrested Doing Their Jobs Tell All
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/5/2020
New 'Nanodegree' Program Provides Hands-On Cybersecurity Training
Nicole Ferraro, Contributing Writer,  8/3/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15058
PUBLISHED: 2020-08-07
Lindy 42633 4-Port USB 2.0 Gigabit Network Server 2.078.000 devices allow an attacker on the same network to elevate privileges because the administrative password can be discovered by sniffing unencrypted UDP traffic.
CVE-2020-15059
PUBLISHED: 2020-08-07
Lindy 42633 4-Port USB 2.0 Gigabit Network Server 2.078.000 devices allow an attacker on the same network to bypass authentication via a web-administration request that lacks a password parameter.
CVE-2020-15060
PUBLISHED: 2020-08-07
Lindy 42633 4-Port USB 2.0 Gigabit Network Server 2.078.000 devices allow an attacker on the same network to conduct persistent XSS attacks by leveraging administrative privileges to set a crafted server name.
CVE-2020-15061
PUBLISHED: 2020-08-07
Lindy 42633 4-Port USB 2.0 Gigabit Network Server 2.078.000 devices allow an attacker on the same network to denial-of-service the device via long input values.
CVE-2020-15062
PUBLISHED: 2020-08-07
DIGITUS DA-70254 4-Port Gigabit Network Hub 2.073.000.E0008 devices allow an attacker on the same network to elevate privileges because the administrative password can be discovered by sniffing unencrypted UDP traffic.