The fraudsters targeting Citi never sleep.
Thieves made off with personal information of 92,408 Citigroup Inc. credit card customers in Japan and sold the data to third parties, the bank said Friday. It's the second data theft for Citi in three months and the latest sign of how vulnerable banks and their customers are in a world of high-tech banditry.
Customer account numbers, names, addresses, phone numbers, birth dates, account-opening dates and gender information were stolen, Citi said. But the most sensitive data, including personal identification numbers and card security codes, weren't taken, reducing the possibility that fraud will occur, Citi said.
Citi said it reported the theft to police after it was alerted to the problem by a customer inquiry. The New York-based company said it has been cooperating with the investigation. Fraud alerts have been placed on the affected accounts, but no suspicious transactions have been detected, the bank said.
The theft of customer data in Japan follows a disclosure by Citi in June that hackers stole $2.7 million from its North American credit-card customers. The bank covered customer losses.
Unlike the theft in the U.S., in which 360,000 accounts were breached by a sophisticated hacking technique, the scheme in Japan was perpetrated by a third-party vendor that had been given access to Citi's internal systems, people familiar with the situation said.
"The Achilles' heel of all these financial institutions is a lack of oversight of third parties that are managing much of their infrastructure around the world," said Tom Kellerman, chief technology officer of AirPatrol, a wireless-security firm. "Even if banks can harden their castles, they still have these extensions of themselves that are not being monitored."
One-third of all data breaches in 2009 occurred through third parties, according to a report published by Verizon Communications Inc.
"Vendors aren't necessarily being nefarious, but rather just negligent," Kellerman said.
Citi has become a high-profile target, not just for its size, but also for its footprint that spans more than 100 countries. Some of those countries have emerging economies where the financial infrastructure is less developed and therefore harder to manage.
Citi is currently facing sanctions in Indonesia, where the central bank ordered it to stop offering premium banking services to new clients for one year and issuing credit cards for two years. The sanctions followed the mysterious death of a client after a meeting with debt collectors, and revelations that a wealth manager stole millions of dollars from other customers.
Security experts said that Citi is no worse than other large financial institutions in terms of the security it provides customers, but they said all these firms have fallen further behind as identity theft techniques have advanced.
"Banks are playing a huge game of catch-up," said Avivah Litan, an analyst with Gartner Research.
Citi said it is contacting all the customers affected by the breach in Japan and will reissue cards at the customer's request. It emphasized that customers won't be responsible for fraudulent transactions on their accounts.
Kellerman cautioned against reading too much into the latest Citi theft report. "Citi is not being hacked more than other financial firms," he said. "But they tend to be more forthcoming about disclosing and remediating the problem."
