Two years after a data breach that compromised hundreds of thousands of customer accounts, Citibank has agreed to pay a $55,000 settlement to Connecticut.
During the breach, the state said, criminals were able to access multiple bank customers' online information by logging in with a single account number and password and then modifying the URL in the browser to access others' information.
Roughly 360,000 Citibank customers were affected; about 5,066 were in Connecticut.
Citibank discovered the breach in May 2011. It permanently fixed the problem that month. The vulnerability, Connecticut said, may have existed since 2008.
"Citibank represented to its customers that its online system was secured, but ultimately the techniques hackers used to obtain individual account information were relatively simple and unsophisticated," said Connecticut Attorney General George Jepsen in a press release. "This settlement not only ensures that Citibank will be responsive to its customers should this system experience a breach in the future, it also requires the company to review and audit its security protocols."
The issue was discovered by a joint investigation between Jepsen's office and his California counterpart. The settlement is not final until approved by the court.