14 DAY TRIAL // Citigroup has revealed that over 360,000 accounts were compromised in the recent attack against its Citi Account Online system, more than it was initially estimated.
On June 9, Citigroup admitted that hackers managed to extract sensitive customer information from its Citi Account Online website.
At the time, the company said that around one percent of its customers in North America were affected.
Considering that the latest public figures put the number of Citi cardholders at 20 million, the media estimated that 200,000 people were affected by the hack.
Fortunately, only names, account numbers and contact information were exposed. More sensitive details like birth dates, Social Security numbers, credit card expiration dates or CVV codes were not compromised.
People close to the investigation later revealed that attackers used simple URL manipulation on a vulnerable script to enumerate accounts and extract the information.
According to a Citi update posted on its website as a result of an official inquiry by the Connecticut Attorney General's office, a total number of 360,083 North America Citi-branded credit card accounts were affected, around 80 percent more than originally believed.
Out of these, only 217,657 accounts had their cards reissued. The others were either closed or received new cards as a result of other events. According to a breakdown by state, California was more affected with 80,454 exposed accounts, then comes Texas with 44,134 and Illinois with 30,054.
Citigroup was criticized because it took almost a month to disclose the incident, but it defended itself by claiming the investigation lasted 12 days and that additional time was needed to produce the replacement cards.
US lawmakers are working on federal legislation that would force companies to report breaches in a more timely manner. They will also be expected to maintain a minimum data security standard.