Just over a month after Citigroup confirmed a breach of its online banking platform, a second breach affecting Citi customers has come to light. [See Citi Breach Exposes Card Data and Citi Breach: A Warning to Banks.]
On Aug. 7, The Japan Times reported that Citi on Friday confirmed a person involved with an outside business to which Citi Cards Japan Inc. outsourced part of its operations had allegedly stolen the card data and sold it to a third party. On Aug. 5, Citi Cards Japan, a Citigroup credit card division, issued a statement to confirm that personally identifiable information for 92,400 Citi Cards customers was suspected of being obtained and sold to a third party.
"The information that has been compromised includes account numbers, names, addresses, phone numbers, date of births, gender and the date the account was opened, and only affects CCJ cardholders," Citi says. "It has been confirmed that security information, including personal identification numbers and card security code (CVVs) has not been compromised."
Last month, Citi Cards Japan was quick to point out that the May online-banking breach did not impact any Japanese cardholders. No link between the two breaches is suspected at this time. Citi Cards says it has reported the incident to law enforcement and is closely monitoring accounts suspected of exposure for fraudulent activity.
"This is a CIO's worst nightmare," says Avivah Litan, a distinguished analyst at Gartner. "I am sure Citi is not sitting around and twiddling its thumbs as the hackers gain the upper-hand. But it does prove what a leaky sieve most large banks and corporations are when it comes to protecting customer data. There are so many points of compromise that it's very difficult for them to thwart all potential attacks."
Not the First Breach for Citi?
Citi alone has suffered its fair share of breaches. In 2009, The Wall Street Journal reported that the FBI had launched an investigation into an alleged Citibank computer breach linked to a Russian cybergang. Citi executives, however, vehemently denied the claim.
In 2006, Citi confirmed that company information had been breached through a third party, exposing information housed by its consumer and corporate banking arm. As a result, Citi was forced to block PIN-based transactions for customers in Canada, Russia, and the United Kingdom. And in late June, federal authorities arrested a former Citi executive who allegedly embezzled more than $19 million from the bank and its customers over a five-month period between July and December 2010. [See Citi Case Exposes Insider Risks.]
"There are many moving parts, many siloed systems and many decision-makers at large banks like Citi," Litan says. "That means many participants from different organizations have to come together and make fast decisions and implement those decisions quickly. That just doesn't happen in large companies."
Too many hoops means few technical advancements are implemented to catch and thwart fraud. "This should serve as a loud wakeup call to large banks like Citi, and smaller ones, too, that they need to act like small, nimble startup players who can move quickly to bolt down their forts," Litan adds. "Most of them know what and where their problems are. Now all they need to do is fix them."