Card Fraud Risk Low in Citi Breach

Citigroup Inc.'s credit card customers are unlikely to experience card fraud stemming from a recent online data breach, but they could be the targets of phishing scams.

Citi said Thursday that it discovered during routine monitoring recently that unauthorized online access of account information for about 1%, or 210,000, of its North American bank card customers had occurred.

Information that was viewed included customer names, account numbers and contact information.

Social Security numbers, birth dates, card expiration dates and card security codes, or CVVs, which e-commerce websites often require to make purchases, were not compromised, the bank said in a statement.

"The goods news is that it's not the [magnetic] stripe that was compromised, thus … the chances of fraud against those cards" are low, said Avivah Litan, a vice president and distinguished analyst with Gartner Inc.

However, Phil Blank, a senior analyst with Javelin Strategy and Research in Pleasanton, Calif., described the incident as a "significant breach compounded by the delay" in Citi's reporting.

"With the reported 'breach' of names, email addresses [and] account numbers, Citi customers can be subject to all sorts of phishing … attacks," Blank wrote in an email, citing a March breach of Epsilon, an email marketing company owned by Alliance Data Systems Corp. that counts several large banks and retailers as clients.

A Citi spokesman said in an email that the bank is contacting customers whose information was affected by the breach, which was first reported by Financial Times on Thursday.

"Citi has implemented enhanced procedures to prevent a recurrence of this type of event," the spokesman wrote. "For the security of these customers, we are not disclosing further details."

He did not say whether Citi was replacing some or all cards for affected customers.

Litan said that it could cost Citi about $10 to replace a card for an affected customer, though she said that is a rough estimate.

The Citi incident added to a recent string of high-profile data breaches at companies including Sony Corp., EMC Corp. and Michaels Stores Inc., which compromised consumer information.

"The biggest message here is that financial institutions are under attack," Litan said.

"We knew that already, but they're getting closer," she said. "Everywhere you look, companies in the United States are under attack."

For reprint and licensing requests for this article, click here.
Bank technology
MORE FROM AMERICAN BANKER