Citibank will have to pay a $55,000 fine resulting from a breach of Citibank’s online operations in 2011 after a joint, a statement from the Connecticut attorney general’s office released yesterday said. Citi will also have to undergo an audit by a third-party to evaluate the security of its Account Online web service, the statement added.
This decision comes after a joint investigation by the Connecticut and California attorney generals’s offices found that the hackers took advantage of a vulnerability that was known to the bank to access customers’s accounts. The hackers accessed the Account Online service with a username and password, and then were able to access other accounts by simply changing some characters in the resulting URL when they logged in. The bank knew of this vulnerability going back to 2008, the attorney general’s statement alleged.
The statement also said that the bank discovered the breach on May 10, 2011 but did not permanently repair the vulnerability until May 27, 2011, and failed to notify customers of the breach until June 3.
The breach allowed the hackers to access the account information of more than 360,000 Citibank customers, according to the statement. Media reports place the amount of money stolen in the breach at around $2.7 million.
Citi agreed to the audit as part of the settlement and also agreed to offer two years of free credit monitoring to any Connecticut customers affected by the breach. The settlement is not final yet until it receives court approval.