Citi Defends Delay in Disclosing Hacking

[Richard Forno <rforno () infowarrior org>]

Citi Defends Delay in Disclosing Hacking
By RANDALL SMITH
http://online.wsj.com/article/SB10001424052702304665904576382391531439656.html

Citigroup Inc. waited as long as three weeks to notify credit-card customers of a hacking attack because it was 
conducting an investigation and producing replacement cards, according to a person familiar with the situation.

The internal investigation took 10 to 12 days and began within 24 hours of the discovery by Citigroup officials in 
early May that the New York bank's systems had been breached, this person said. In some cases, Citigroup took action to 
protect accounts considered vulnerable to fraud.

Citigroup publicly disclosed the security attack last Thursday, saying it affected about 200,000 customers, or 1% of 
the company's card users in North America. The company said it had referred the matter to law-enforcement authorities 
and planned to send replacement cards to a majority of the affected customers.

Some critics have accused Citigroup officials of dragging their feet in notifying customers that some of their data has 
been compromised. The Senate banking committee is planning hearings on data security. The breach follows other attacks 
that are fueling concerns among financial regulators and security experts that banks and other companies aren't doing 
enough to protect themselves and their customers.

"Every minute that passes after a hacker gains access to customers' confidential information means a greater risk of 
both monetary and identity theft," said Mandeep Khera, an official at Cenzic Inc., an online-security firm in Santa 
Clara, Calif. Mr. Khera said Citigroup had "done a disservice" to customers because of the delay.

Other recent targets of similar attacks include Sony Corp. and Lockheed Martin Corp. Security experts say financial 
institutions are a top target. On Saturday, the International Monetary Fund said it had been hit by "a cybersecurity 
incident."

The person familiar with Citigroup's response to the security breach said company officials responded to discovery of 
the attack immediately. In late May, the company launched a week-long process for a mailing to notify the roughly 
200,000 customers of the breach and provide replacement cards to most of them. Customer notification and shipment of 
new cards began June 3, or six days before Citigroup publicly disclosed the hack attack.

Citigroup said the hackers obtained access to data such as names, account numbers and email addresses. The breach 
didn't compromise Social Security numbers, dates of birth, card security codes or expiration dates. Bank officials have 
said the data that was disclosed wasn't enough to perpetrate fraud.

Before the official customer notification, Citigroup moved to protect certain customers by sending out an internal 
fraud alert on all those customers deemed at risk, the person familiar with the matter said.

Some experts suggested that Citigroup's response was reasonable. By discovering and investigating the breach itself, 
Citigroup was able to "allay" customer fears about data that wasn't compromised, said Joe Gottlieb, chief executive of 
SenSage Inc., a Redwood City, Calif., firm that develops software to reduce fraud and compliance risks.

Write to Randall Smith at randall.smith () wsj com
_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://datalossdb.org/mailing_list

Learn encryption strategies that manage risk and shore up compliance.
Download Article 1 of CREDANT Technologies' The Essentials Series:
Endpoint Data Encryption That Actually Works
http://credant.com/campaigns/realtime2/gap-LP1/