Citigroup acknowledged Thursday that hackers improperly viewed the account information of hundreds of thousands of its credit card customers, the latest in a series of high-profile security cyber attacks.
The breach was detected during “routine monitoring,” which found “unauthorized access to Citi’s Account Online,” the company said in an e-mail statement.
Citigroup said the breach affected about 1 percent of its North American bank card customers. The company did not release a specific number. According to its most recent annual report, Citigroup has 21 million credit card accounts, which means the breach potentially affected about 200,000 customers.
In the past month or so, Sony’s PlayStation went offline for several weeks after hackers invaded its system. RSA Security, which provides SecurID tokens to leading corporations, government agencies and contractors that use them to securely log on to computers, suffered a “sophisticated” cyber attack of its system. Defense contracting giant Lockheed Martin later said its systems were compromised, in part because of the hacks. And recently, Google said hackers based in China accessed hundreds of Gmail accounts, including some belonging to senior U.S. government officials.
“Every day it’s somebody. No organization is immune to this. It’s really getting out of hand,” said Paul Ferguson, senior threat researcher at Trend Micro.
Citigroup did not release any information about the potential source of its breach. “We have been in contact with law enforcement,” the company’s statement said. But “for the security of these customers, we are not disclosing further details.”
The breach affected holders of credit cards but not debit cards, Citigroup said. Customers are being notified by mail or through their online accounts, and most will receive replacement cards.
“Citi has implemented enhanced procedures to prevent a recurrence of this type of event,” the company said.
A Citigroup spokesman said that he could not provide any information about whether the breach resulted in unauthorized charges on accounts, but added that “naturally, our customers are not liable for any unauthorized use of their accounts.”
The hackers were able to view general account information, including customers’ names, account numbers and contact information such as e-mail addresses, the statement said. But the breach did not extend to Social Security numbers, dates of birth and credit card security codes, the company said.
But even the release of a customer’s e-mail address can be dangerous, Ferguson said. “Anybody that has those e-mail addresses can target those customers with phishing attacks,” he said. “Every little piece of information that a criminal has helps them to successfully target their victim. If I have your e-mail address and I know you are a Citi customer, that helps.”