Citigroup hacked: What to do if your account was compromised
| New York
Almost everyone has received US mail that comes in with a bank鈥檚 return address on the left-hand corner.
You might not want to throw it all in the trash, particularly if you have a Citigroup issued credit card.
The big bank says it is in the process of notifying more than 200,000 of its bankcard customers 鈥 some 1 percent of its total cardholders 鈥 who had their accounts hacked, probably in early May when the bank discovered someone was accessing names, account numbers, and contact information, including e-mail addresses.
The majority of its customers will receive new credit cards and are not responsible for any fraudulent purchases, says Citigroup spokesman Sean Kevelighan.
The data breach is the latest in a recent series of major intrusions into the computers of companies such as Sony, bulk mailer Epsilon, and RSA, which provides SecureID tokens for Internet security. Security experts say the intrusions show that the hackers are getting more sophisticated and harder to immediately detect since many of the companies had fairly sophisticated systems.
鈥淚 am afraid they are going to be more successful in the short term in seizing assets and information and disrupting business,鈥 says Larry Poneomon, head of the Poneomon Institute in Traverse City, Mich. 鈥淚t is a fait accompli.鈥
In an annual study, sponsored by Symantec, a computer security company, the Institute found the cost of computer intrusions was $214 per compromised record. If the breach included information such as lost Social Security numbers or personal identification numbers, it cost $353 per record.
Probably, one of the most expensive breaches was the 2005 data break-in at TJX Corporation, the parent of T.J. Maxx, the discount retailer. Cyberthieves stole 46.5 records, including a lot of credit card information. The company says the theft cost it about $160 million through its fourth quarter.
What cardholders should do
For individuals, the largest risk is 鈥渟pear phishing鈥 by the criminals who stole the information. Once they have an individual鈥檚 e-mail address, plus a name, they can send a letter that almost sounds like it came from a financial institution.
Poneomon says the typical letter, written on the letterhead of the financial institution, will ask for passwords, PIN numbers, and other sensitive data which would normally not be given to anyone. 鈥淭hese are high probability attacks,鈥 he says, 鈥渢hat lead to a set of information that can be monetized.鈥
In Citi鈥檚 case, the bank says it will send out notification letters to people who have had their accounts compromised. The bank does not normally notify people by e-mail.
鈥淚f you get an e-mail from Citi, assume it鈥檚 a fake,鈥 says Poneomon.
Fortunately, the customers鈥 Social Security numbers, dates of birth, card expiration data, and card security codes were not part of the theft.
Call Citi for 'peace of mind'
Nonetheless, credit card expert Bill Hardekopf of LowCards.com says if someone wants 鈥減eace of mind鈥 they might call Citi to ask if their card was compromised.
鈥淐andidly, if your account was not affected, you don鈥檛 have anything else to do,鈥 he says. 鈥淚f your account was not hacked, you don鈥檛 need to push the panic button.鈥
On an ongoing basis, Mr. Hardekopf suggests changing passwords on a regular basis, monitoring debit and credit-card activity, and not e-mailing confidential information such as your mother鈥檚 maiden name, your birthdate, and your pet鈥檚 name.
Attacks from afar
Although the data breaches are taking place so often, many of the hackers elude the criminal justice system. That鈥檚 because they can be operating anywhere in the globe from Eastern Europe to China to Vietnam.
鈥淭he odds are good they are somewhere far away,鈥 says Poneomon.
As for Citi, it says it has enhanced security so the problem does not happen again.
