UPDATE by the author: On Monday, June 27, 2011 CITIBANK acknowledged that in this hack attack hackers stole millions of dollars from customers' credit card accounts. Citigroup told CNN that about $2.7 million was stolen from about 3,400 accounts on May 10. The hackers actually accessed a much greater number of accounts: 360,083.
Article first published as Thousands of Citibank On Line Credit Card Accounts Hacked. Customers Name, Account Numbers and E-Mail Addresses Compromised. on Technorati.
The Citibank hacking attack was in early May 2011 but made public on June 08, 2011 when a Financial Times.com news staff member inquired Citi about the bank’s hacking attack. Citi customers advised Financial Times that they tried to use the card and the transaction was denied.
Close to 210,000 Citi North America accounts may have been compromised. After being confronted by the media, the bank acknowledged the hack and said that customers are being notified. Citi said that customers names, account numbers and e-mail addresses where compromised.
This was not a run-of-the mill attack, it is a cybercrime operation directly aimed to a major world wide bank. Normally, these types of hacks are oriented to the third party transactions credit card handlers, such as private ATM machines providers and point of sales (POS) merchants. This time it is a direct hit to the bank on line credit card system. The target was a money handling operation and as such it is safe to say that there is a big percentage of probability that the intent of the hack was to steal money. Since money is involved, it is crucial that the victims be advised promptly. Even when the money is insured by the FDIC, the headaches and perils of identity theft are not to be taken lightly.
To regulate the time lapse between the cybercrime incident and the notification of the event to the victims, the government is stepping in. The White House proposed, in a Cyber Security Policy last month a document titled “Creating Effective Information Sharing and Incident Response” this policy addresses the issue in paragraph IV, page 23. A separate bill, by Senator Patrick Leahy, would similarly make concealing a data breach a federal crime.
We understand the fact that a hacking attack of this type should be kept confidential for a reasonable amount of time, to allow the computer forensics team to perform mitigation, prevention and investigative functions, but waiting to make public the event only after the media inquires about it, because victims are coming out in the open, is not acceptable and does not do any good to the industry and in addition, creates public distrust. That is the reason that the Government Administrative Branch and Congress are stepping in to regulate the computer data breaches notification procedures to victims. No one likes to know that his or her identity has been stolen while watching, listening or reading the media.