Citigroup Inc. on June 15 clarified the timeline and updated the number of accounts breached in a recent hacker attack that put an estimated 1% of its North American Citi-branded credit card base at risk.
Citi now says 360,083 credit card accounts were affected and that it reissued cards to 217,657 of those accounts. The others had been closed or were already in the process of reissuance for other reasons. The open accounts that did not get new cards are receiving enhanced monitoring, Citi said.
The issuer previously indicated only about 200,000 accounts were impacted and that those affected represented 1% of its total North American card base, cited as 21 million on June 9, when Citi announced the break in (
Citi also countered claims that it waited too long before responding to the break-in. Citi said the breach occurred on May 10 and that it discovered the intrusion as part of routine maintenance (
The issuer said it identified the majority of accounts affected within seven days. By May 24, Citi says it confirmed the full extent of information accessed and began preparing notification packages with replacement cards and informing customer service teams. It began mailing notification letters June 3, the majority of which included reissued credit cards.
In an emailed statement, Citi said it placed internal fraud alerts and enhanced monitoring on all accounts deemed at risk while simultaneously conducting “rigorous analysis … to determine the precise accounts and type of information accessed.”
This process “required analysis of millions of pieces of data,” Citi said.
The bank stressed that customer names, account numbers, contact information and email addresses were viewed by hackers. Social Security numbers, dates of birth, card-expiration dates and the card security codes were not.
The incident affected the Citi Account Online network, but the bank’s main card-processing system and its systems for consumer online banking were unaffected.
