The attorney general of the state of New York has sued Citibank over the financial institution’s alleged failure to protect customers against hackers and fraudsters, as well as its refusal to reimburse victims.
New York AG Letitia James said individuals in the state have lost millions of dollars as a result of cybercrime schemes that are possible due to Citi’s failure to implement strong data security and anti-breach practices.
“As a result of Citi’s lax security protocols and procedures, ineffective monitoring systems, and failure to respond in real-time and properly investigate fraud claims, New Yorkers have lost millions to scammers,” the AG’s office said in a press release. “Customers have lost their life savings, their children’s college funds, or even money needed to support their day-to-day lives as a result of Citi’s illegal and deceptive acts and practices.”
In its complaint, the attorney general has provided several specific examples of New Yorkers who had tens of thousands of dollars stolen from their accounts after being tricked by cybercriminals.
It’s worth pointing out that these incidents do not appear to involve exploitation of any software vulnerabilities or access to Citi systems. Instead, the threat actors rely heavily on social engineering to trick victims into handing over the information needed to access their accounts and conduct unauthorized transfers.
However, the AG believes Citi should have more efficient systems in place to detect signs of fraud, for instance, based on unrecognized device locations, suspicious password or username changes, and suspicious transfers.
The bank has also been accused of being slow to respond to fraud reports coming from customers.
In addition, the AG says the bank should reimburse victims of such crimes under the Electronic Fund Transfer Act (EFTA), but Citi is allegedly exploiting a loophole to deny reimbursement claims.
In response to the lawsuit, Citi said it works hard to prevent fraud and assist impacted customers, but noted, “Banks are not required to make customers whole when those customers follow criminals’ instructions and banks can see no indication the customers are being deceived.”
Related: Two More Individuals Charged for DraftKings Hacking
Related: Data of 750 Million Indian Mobile Subscribers Sold on Hacker Forums
Related: 1.5 Million Affected by Data Breach at Insurance Broker Keenan & Associates