14 DAY TRIAL // The Connecticut Attorney General George Jepsen has reached a settlement with Citibank regarding a data breach that has affected over 360,000 customers.
As part of the settlement, Citibank has agreed to pay $15,000 (€ 11,400) in civil penalties to the state’s Privacy Protection Guaranty and Enforcement Account, and another $40,000 (€30,000) to the state’s General Fund.
In addition, the financial organization has also agreed to hire a third party to conduct an information security audit of the Account Online section of Citibank’s website.
The settlement comes after hackers accessed the account information of a large number of customers by leveraging a vulnerability in the Account Online service.
Hackers were able to access any account simply by logging into their own and changing a few characters in the URL.
It’s believed the company had known about the security hole since 2008. However, the issue was permanently addressed only on May 27, 2011, 17 days after Citibank learned of a breach.
Impacted customers were not notified until June 3, 2011.
“Citibank represented to its customers that its online system was secured, but ultimately the techniques hackers used to obtain individual account information were relatively simple and unsophisticated,” Attorney General Jepsen commented.
“This settlement not only ensures that Citibank will be responsive to its customers should this system experience a breach in the future, it also requires the company to review and audit its security protocols.”
The settlement, which comes after a joint investigation between the Connecticut Attorney General and the California Attorney General, is not final until it’s approved by the court.
The complaint is available here. The settlement documents can be found here.