The string of megabreaches that has rocked major corporations throughout 2011 continues, and its latest target is one of the world’s biggest banks. Citibank has revealed that it detected a data breach last month that exposed fully 1% of all its North American customers account details.
Citi has about 21.2 million customers in North America according to its annual report, implying that close to 210,000 accounts may have been hit.
Citi revealed the hacker attack, which it detected a month ago, to the Financial Times after the paper made inquiries. But the Times says many customers only learned of the breach after they had their transactions denied.
The bank said in a statement to Forbes that it had tightened security measures, and that Social Security numbers, date of birth, three-digit CVV numbers on the backs of the cards and expiration dates weren’t exposed in the breach. “We are contacting customers whose information was impacted. Citi has implemented enhanced procedures to prevent a recurrence of this type of event. For the security of these customers, we are not disclosing further details,” the bank’s statement reads.
The scale of the Citi attack is hardly unusual, given that others at companies like TJX in 2007 or Heartland Payment Systems in 2009 likely exposed more than a hundred times as many credit card accounts. Even the hack of Sony’s Playstation Network last month is believed to have exposed tens of millions of credit card numbers. But rarely have hackers breached a bank itself rather than the partners or retail outlets that often store large caches of those card numbers.
The breach–and Citi’s slow and reluctant announcement–come as the federal government considers new measures that would require timely notifications of data compromises beyond the requirements in certain states’ laws. The White House’s proposed cybersecurity policy outlined last month would include a mandatory federal breach disclosure law, and another bill proposed by Senator Patrick Leahy would similarly make concealing a data breach a federal crime.