Citigroup Breach Highlights Need for Speed in Notification

Speedy communication to breach victims is vital in preventing fraud, according to lawmakers and regulators who are pushing for faster consumer notifications after last week's disclosure of an incident at Citigroup Inc.

Citi waited about three weeks (pending its own investigation) to inform consumers that an attack from early May exposed the account numbers and email addresses of about 200,000 credit card customers, or 1% of its base, according to various reports.

But given the sophistication of hackers, who use targeted "spear phishing" campaigns to extract further sensitive data out of victims, the sooner banks publicize an incident, the better the chances that consumers can avoid fraud on their accounts.

"Those 200,000 customers were at higher risk of spear phishing attacks during that time, and they should've been made aware of the risks," said Julie Conroy McNelley, a senior risk and fraud analyst at Aite Group LLC of Boston. "This highlights the need for banks to treat email addresses with the same care that they treat other pieces of personally identifiable information, and store it in separate, more secure databases."

Rep. Mary Bono Mack, R-Calif., who is the chairman of the House Commerce, Manufacturing and Trade subcommittee, introduced a draft letter Monday that would require banks to issue notifications more quickly.

"We will make certain in this legislation that consumers will be informed that their personal information has been put in jeopardy," Ken Johnson, senior advisor to Rep. Mack, said in an interview. "Companies and entities that hold personal information must establish and maintain security policies to prevent unauthorized acquisition of data."

Among the goals of the legislation, Johnson said, would be to unify about 47 different state laws regarding the time frame for consumer notification. He said there may be a carve-out for banks, which he said are already somewhat regulated in this regard under provisions of the Gramm-Leach-Bliley Act.

Federal Deposit Insurance Corp. Chairman Sheila Bair said she may ask some banks to strengthen online authentication when consumers log on to their accounts. Bair said, in an email sent by a representative, that "the agencies are specifically developing additional guidance to enhance authentication procedures when customers access their online accounts."

A Citi representative said by email that the company "immediately rectified the data breach upon discovery, while also placing internal fraud alerts and monitoring on all accounts at risk. Simultaneously, we began analysis to determine the precise accounts and type of information accessed. Within three weeks we began sending notification letters to clients, the majority of which included re-issued credit cards." Citi would not comment on the regulatory and legislative responses to the incident.

Lawmakers may also soon require banks to protect personal consumer data when it's at rest.

Experts said it's important that banks quickly notify customers of breaches. They pointed to recent attacks, such as the one at Epsilon, the email marketing unit of Alliance Data Corp. Inc. of Plano, Texas, where hackers made off with millions of bank customer names and email addresses.

That information is now widely in circulation and can be used for years to craft targeted phishing campaigns against bank customers. Banks typically include extra personal information in their emails to consumers as a way of letting consumers know that the communication is legitimate. The information the hackers obtained from the Epsilon and Citi breaches can be used to make their scam emails convincing by including a similar amount of detail.

"The timeliness of disclosure is more about transparency than about safety per se," said Madhavi Mantha, head of banking research at Novarica, a Novantas LLC subsidiary. "The transparency gives the customers the knowledge they need," Mantha said.