The chances that Citigroup Inc.’s credit cardholders will experience card fraud stemming from a recent online data breach are low, but those customers are likely to be the target of phishing scams.
The New York-based issuer on June 9 said it discovered during routine monitoring last month that unauthorized access of account information for about 1%, or 210,000, of its North American bankcard customers had occurred online. Information that was viewed included customer names, account numbers and contact information, though Social Security numbers, birth dates, card-expiration dates and card verification value security codes e-commerce websites often require to make purchases, were not comprised, the bank said in a statement.
“The goods news is that it’s not the [magnetic] stripe that was compromised, thus … the chances of fraud against those cards” is low, said Avivah Litan, a vice president and distinguished analyst with Gartner Inc.
However, Phil Blank, a senior analyst with Javelin Strategy and Research in Pleasanton, Calif., described the incident as a “significant breach compounded by the delay” in Citi’s reporting.
“With the reported ‘breach’ of names, e-mail addresses [and] account numbers, Citi customers can be subject to all sorts of phishing … attacks,” Blank wrote in an e-mail, citing a March breach of Epsilon, an e-mail marketing company owned by Alliance Data Systems Corp. that counts several large banks and retailers as clients.
A Citi spokesperson said in an e-mail the bank is contacting customers whose information was affected by the breach, which first was reported by the Financial Times on June 9.
“Citi has implemented enhanced procedures to prevent a recurrence of this type of event,” the spokesperson wrote. “For the security of these customers, we are not disclosing further details.” He did not say whether Citi was replacing some or all cards for affected customers.
Litan estimated that it could cost Citi about $10 replace each card for an affected customer, though she said that is a rough estimate.
Citi’s incident is the latest in a recent string of high-profile data breaches that have involved Sony Corp., EMC Corp., Michael Stores Inc. and others, exposing various forms of consumer information, including payment data, to potential fraudsters.
“The biggest message here is that financial institutions are under attack,” Litan said. “We knew that already, but they’re getting closer. Everywhere you look companies in the United States are under attack.”
What do you think about this? Send us your feedback.
