14 DAY TRIAL // Hackers who exploited a vulnerability on Citigroup's Citi Account Online website earlier this year managed to steal $2.7 million from the victims' accounts.
On June 9 Citi announced that its Citi Account Online system was compromised by unidentified attackers who extracted the account data of 1% of its North American card holders.
Originally, it was believed that around 200,000 customers were affected, but it was later revealed by Citi that over 360,000 credit card holders had their information exposed.
The bank confirmed last week that $2.7 million was stolen from 3,400 accounts following the security breach. All of the customers will be reimbursed for the loss.
In addition, the company incurred costs of tens of millions of dollars with the process of notifying all affected individuals and the reissuing of credit cards.
Citi learned of the data breach back in May, but took three weeks until reporting it publicly. This has drawn criticism from consumer protection groups and security experts.
The incident was the result of a vulnerability on the Citi Account Online website which allowed attackers to access account information by simply manipulating an URL.
Interestingly enough, birth dates, Social Security numbers, credit card expiration dates and CVV codes, data that would be required for fraud, were not compromised.
This begs the question of how the $2.7 million were stolen. It is possible the exposed information, names, account numbers, addresses, and emails, was used to craft believable phishing emails to obtain the rest.
Citi has not confirmed any such attacks, but customers are strongly advised to be on the lookout for emails that appear to originate from the bank and ask for personal and financial details. Please confirm any such messages with the company over the phone before following the instructions within.