Citi Admits to Customer Data Breach

Citigroup has admitted that hackers managed to break into its systems and accessed information on about 200,000 North American credit card holders.

The Financial Times reports that the breach was discovered in early May and involved customer names, account numbers and contact information.

However, information that would facilitate fraud or identity theft, such as birth dates, Social Security numbers, credit card expiration dates and CVV codes, were not compromised.

The financial giant said the breach occurred on its Citi Account Online system and affected 1% of its customers. According to the latest public figures, there are 20 million Citi cardholders in North America.

"We are contacting customers whose information was impacted. Citi has implemented enhanced procedures to prevent a recurrence of this type of event. For the security of these customers, we are not disclosing further details," an US Citi spokesman, told Reuters.

While affected customers are not likely to have their credit cards misused directly because of this breach, the exposed information could be used to craft believable phishing attacks aimed at extracting more sensitive information.

"Customers affected by this incident should be on high alert for scams, phishing and phone calls purporting to be from Citibank and their subsidiaries," warns Chester Wisniewski, a senior security advisor at Sophos.

"Considering that the attackers have your name, account number and other sensitive information they are able to provide a very convincing cover story to victims," he adds.

The incident follows other large scale data breaches that involved personal information in recent months. In April, hackers broke into Sony's PlayStation Network (PSN) and stole the personal details of over 76 million customers.

Questions have been raised as to why Citigroup took a month to disclose this incident. There is a general feeling that companies are taking too long to inform customers when their privacy is compromised. US lawmakers are working on federal legislation that would force companies to report breaches in a more timely manner.