The Citi data card breach compromised 360,000 customer accounts – 80% more than the figure initially reported – and forced the bank to re-issue 218,000 cards to affected customers.
The new data comes in a public comment letter issued by the bank to its customers. While the letter identifies the date of the discovery of the breach as 10 May, the statement provides no details on how the accounts were compromised. The bank has yet to respond to claims that the hackers accessed the data through a simple vulnerability in the browser address bar.
To Our Customers:
You may have recently read in the media about a compromise to Citi Account Online impacting credit card accounts in North America.
We wanted to share more specifics with you regarding the event. First, we want to confirm three things:
1. From the moment Citi discovered the breach we took immediate action to rectify the situation and protect any customers potentially at risk. 2. Customers are not liable for any fraud on the account and are 100% protected.
3. Every decision made throughout this process was in the best interest of our customers.
Updated Information on Recent Compromise to Citi Account Online For Our Customers
** Includes specific details, including dates and number of customers impacted **
On May 10, a compromise to Citi Account Online that impacted roughly one percent of North America Citi-branded credit card accounts was discovered as part of routine monitoring and immediately rectified. While Citi Cards’ Account Online system was compromised, the main cards processing system was not. Other Citi consumer banking online systems were not accessed or compromised.
Upon discovery, internal fraud alerts and enhanced monitoring were placed on all accounts deemed at risk. Simultaneously, rigorous analysis began to determine the precise accounts and type of information accessed. The majority of accounts impacted were identified within seven days of discovery. By May 24, we confirmed the full extent of information accessed on 360,069 accounts. An additional 14 accounts were confirmed subsequently. To determine the cardholder impact required analysis of millions of pieces of data.
The customers’ account information (such as name, account number and contact information, including email address) was viewed. However, data that is critical to commit fraud was not compromised: the customers’ social security number, date of birth, card expiration date and card security code (CVV).
While the investigation was underway, preparations began to notify customers and, as appropriate, replace affected customers’ credit cards. As of May 24, we began the process of developing notification packages including customer letters and manufacturing replacement cards, as well as preparing our customer service teams. Notification letters were sent beginning June 3, the majority of which included reissued credit cards.
Citi has implemented enhanced procedures to prevent a recurrence of this type of event. We have also notified law enforcement and government officials. For the security of our customers, and because of the ongoing law enforcement investigation, we cannot disclose further details regarding how the data breach occurred.
Our customers are not liable for any unauthorized use of their accounts. We encourage our customers to review their account statements and to report any suspicious or unauthorized charges to us. Citi also offers free personalized identity theft solutions to assist our customers in taking appropriate steps if they believe they are a victim of identity theft.
Customers with additional questions can call the toll free number on the back of their card for help from Citi Customer Service. We continue to monitor customer service and communication channels and take every necessary action to ensure our customers are cared for.
Total Accounts Impacted:
* A total of 360,083 North America Citi-branded credit cards were affected. Only accounts issued in the U.S. were impacted. * 217,657 accounts were reissued credit cards along with a notification letter.
* Some accounts were not re-issued credit cards if the account is closed or has already received new credit cards as a result of other card replacement practices. These accounts continue to receive heightened monitoring for suspicious activity.