Compliance

11:35 AM
Connect Directly
Facebook
Twitter
Google+
RSS
E-Mail
50%
50%

Citi Fined by Connecticut for Online Security Breach

The Connecticut attorney general’s office said hackers exploited a vulnerability that the bank knew about long before the breach.

Citibank will have to pay a $55,000 fine resulting from a breach of Citibank’s online operations in 2011 after a joint, a statement from the Connecticut attorney general’s office released yesterday said. Citi will also have to undergo an audit by a third-party to evaluate the security of its Account Online web service, the statement added.

This decision comes after a joint investigation by the Connecticut and California attorney generals’s offices found that the hackers took advantage of a vulnerability that was known to the bank to access customers’s accounts. The hackers accessed the Account Online service with a username and password, and then were able to access other accounts by simply changing some characters in the resulting URL when they logged in. The bank knew of this vulnerability going back to 2008, the attorney general’s statement alleged.

[See Related: Six Ways Banks Can Defeat Hackers and Reduce Data Breaches]

The statement also said that the bank discovered the breach on May 10, 2011 but did not permanently repair the vulnerability until May 27, 2011, and failed to notify customers of the breach until June 3.

The breach allowed the hackers to access the account information of more than 360,000 Citibank customers, according to the statement. Media reports place the amount of money stolen in the breach at around $2.7 million.

Citi agreed to the audit as part of the settlement and also agreed to offer two years of free credit monitoring to any Connecticut customers affected by the breach. The settlement is not final yet until it receives court approval.

Jonathan Camhi has been an associate editor with Bank Systems & Technology since 2012. He previously worked as a freelance journalist in New York City covering politics, health and immigration, and has a master's degree from the City University of New York's Graduate School ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Jonathan_Camhi
50%
50%
Jonathan_Camhi,
User Rank: Author
9/5/2013 | 9:04:35 PM
re: Citi Fined by Connecticut for Online Security Breach
Yes especially if the breach was caused by an oversight on the part of the bank.
Cara Latham
50%
50%
Cara Latham,
User Rank: Apprentice
9/4/2013 | 9:42:36 PM
re: Citi Fined by Connecticut for Online Security Breach
At least financial institutions are being held accountable for their breaches. I think it will only encourage better practices in the future. Otherwise, there may not be any motivation to really invest money to address prevention.
Jonathan_Camhi
50%
50%
Jonathan_Camhi,
User Rank: Author
9/3/2013 | 8:51:30 PM
re: Citi Fined by Connecticut for Online Security Breach
A fine and an audit are pretty typical for this sort of thing. The size of the fine can differ case-to-case, but I'm probably not in a position to say what would have been a "fair" fine. It's important to note as well that Citi will have to pay for the third-party audit as well.
Zarna Patel
50%
50%
Zarna Patel,
User Rank: Apprentice
9/3/2013 | 5:05:57 PM
re: Citi Fined by Connecticut for Online Security Breach
I'm unfamiliar with the typical sentencing a bank would get in this type of situation, so it seems like Citibank got off easy from my point of view. Is this a typical punishment?
Register for Bank Systems & Technology Newsletters
White Papers
Current Issue
Bank Systems & Technology Dec. 2, 2014
BS&T's 2014 Elite 8 executives are leading their banks to success, whether it involves leveraging the cloud, modernizing core systems, or transforming into digital enterprises.
Slideshows
Video
Bank Systems & Technology Radio
Archived Audio Interviews
Join Bank Systems & Technology Associate Editor Bryan Yurcan, and guests Karen Massey and Jerry Silva from IDC Financial Insights, for a conversation about the firm's 11th annual FinTech rankings.