Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Citi Ups Number of Compromised Accounts from Cyber Attack to 360,000

Related News: ADP Experiences Security Breach

Citigroup on Wednesday night said a cyber attack in May affected 360,083 of its customers, almost twice the initial number of customers originally reported.

Related News: ADP Experiences Security Breach

Citigroup on Wednesday night said a cyber attack in May affected 360,083 of its customers, almost twice the initial number of customers originally reported.

Citibank Cyber Attack: 360,000 AccountsAdditionally, more details have emerged on the incident since Citi disclosed the attack, suggesting that attackers used a rather unsophisticated method to siphon data out from Citi’s online banking system.

According to the New York Times, “The data thieves were able to penetrate the bank’s defenses by first logging on to the site reserved for its credit card customers. Once inside, they leapfrogged between the accounts of different Citi customers by inserting various account numbers into a string of text located in the browser’s address bar. The hackers’ code systems automatically repeated this exercise tens of thousands of times — allowing them to capture the confidential private data.” 

This type of attack appears to be similar in scope to other Web application attacks, including an incident when a security hole in AT&T’s Web site had exposed the email addresses of some iPad owners including Government and Military officials shortly after the product launch in 2010. In that incident, a hacker group claimed to have exploited the AT&T Web site using part of an HTTP request, triggering a script which would return the associated email address using an AJAX-style response within the Web application.

Related Reading: Understanding Web Application Security – Defending the Enterprise’s New Porous Perimeter

According to SecurityWeek contributor Mandeep Khera, we are in the midst of an application security crisis. “Security issues in applications have been around for decades. Hackers have been exploiting vulnerabilities and attacking and stealing information for many years,” Khera writes in his most recent column. “It’s gotten much worse in the recent years because more and more transactions are being done through websites — low-hanging fruit for hackers to exploit Web vulnerabilities. Traditionally, schools have never done a good job of teaching students how to do secure coding. They were taught to avoid basic software defects but not worry about security. It’s only in the recent years that some universities have started to emphasize secure coding in their computer science curriculum.”

According to a statement from Citi, on May 10, a compromise to Citi Account Online that impacted roughly one percent of North America Citi-branded credit card accounts was discovered as part of routine monitoring and immediately rectified. While Citi Cards’ Account Online system was compromised, the main cards processing system was not. Other Citi consumer banking online systems were not accessed or compromise, the company said.

On May 24th, following an investigation and review of data, the bank confirmed the full extent of information accessed on 360,069 accounts.

Advertisement. Scroll to continue reading.

Citi said that customers’ account information including name, account number and contact information, including email address was accessed, but that data critical to commit fraud was not compromised: customers’ social security number, date of birth, card expiration date and card security code (CVV).

• A total of 360,083 North America Citi-branded credit cards were affected. Only accounts issued in the U.S. were impacted.

• 217,657 accounts were reissued credit cards along with a notification letter.

• Some accounts were not re-issued credit cards if the account is closed or has already received new credit cards as a result of other card replacement practices.

Citi was also a victim of a data breach through a third party email provider as a result of the massive breach that occurred at Epsilon back in April.

Related Reading: Understanding Web Application Security – Defending the Enterprise’s New Porous Perimeter

Written By

For more than 15 years, Mike Lennon has been closely monitoring the threat landscape and analyzing trends in the National Security and enterprise cybersecurity space. In his role at SecurityWeek, he oversees the editorial direction of the publication and is the Director of several leading security industry conferences around the world.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Cybercrime

Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Cybercrime

Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.