A Citibank spokesperson says early last month the company discovered that its Citi North America Account Online's system, which contains information on all of its North American customers, had been infiltrated.
"During routine monitoring, we recently discovered unauthorized access to Citi’s Account Online. A limited number -- roughly one percent -- of Citi North America bankcard customers’ account information (such as name, account number and contact information including email address) was viewed. The customer’s social security number, date of birth, card expiration date and card security code (CVV) were not compromised. We are contacting customers whose information was impacted. Citi has implemented enhanced procedures to prevent a recurrence of this type of event. For the security of these customers, we are not disclosing further details," the spokesperson said in an email response.
Citi has some 21 million cardholders in North America, which would mean that 200,000 or so were compromised based on its estimate of 1 percent. The bank is contacting those account holders, and would not elaborate on what security measures it had taken or how the attackers got inside.
Given that no CVV codes, expiration dates, birth dates, or social security numbers were exposed, that's good news for initial fraud possibilities. But phishing and social engineering attacks against the affected Citi customers are the biggest threats, experts say.
Sophos analyst Chester Wisniewski warns that Citi customers whose accounts were breached should be on the lookout for these types of scams. "Considering that the attackers have your name, account number and other sensitive information they are able to provide a very convincing cover story to victims," he said in a blog post today. "Never accept incoming communications purporting be from financial institutions you do business with, whether by email or phone call. Call them back using only the phone numbers published on your cards or statements. When logging in to perform online transactions, always enter their website address directly in your browser. Never click links."
Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.