Was Citi Breach Preventable?
Settlement with State AGs Highlights Security FlawsIn a settlement with Citibank tied to a 2011 breach, Connecticut's Attorney General notes the incident could have been prevented if Citi implemented stronger and more effective security controls.
See Also: Report: The State of Cloud Data Security 2023
The breach, which exposed more than 360,000 Citi-issued credit cards, including about 5,000 in Connecticut, resulted from a technical vulnerability in Citi Cards' Account Online Web-based system that may have dated back 2008, according to the state's complaint.
According to Citi, the system that was breached affected only credit cards. The bank's main card-processing system and other consumer banking online systems were not accessed or compromised, the bank noted at the time the breach was discovered.
The bank at that time also noted that personally identifiable information linked to about 1 percent of the exposed credit card accounts also may have been compromised (see Citi Breach Exposes Card Data).
Citi also has reached a settlement with the California attorney general, but details are not yet available.
"Citibank represented to its customers that its online system was secured, but ultimately the techniques hackers used to obtain individual account information were relatively simple and unsophisticated," says Attorney General George Jepsen. "This settlement not only ensures that Citibank will be responsive to its customers, should this system experience a breach in the future, it also requires the company to review and audit its security protocols."
As a result of the Aug. 29 settlement, which stemmed from a joint investigation in Connecticut and California, Citi will pay the state of Connecticut $55,000 for breach-related expenses - $15,000 for the reimbursement of losses the state paid to affected consumers and $40,000 to resolve alleged violation of the Connecticut Unfair Trade Practices Act.
The settlement requires Citi to hire an independent third party to conduct an information security audit of its online banking platform. Citi also is required to maintain reasonable security procedures and practices to protect its Account Online service. And it must provide appropriate notice and free credit monitoring for two years to any individual affected by certain future security incidents.
The Settlement
Shirley Inscoe, a financial fraud expert and analyst at consultancy Aite Group, says the settlement will likely set an example for other states interested in recouping losses linked to data breaches. Banking institutions and other breached entities will more likely have to pay damages to states when consumer accounts are compromised because of a breach, she contends.
"Some states' AGs are just far more aggressive than others," she says. "Isn't it interesting that only two states pursued Citi on this? Perhaps they [other states] didn't understand the implications or there were mitigating circumstances."
The settlement with Citi is not a first for the Connecticut AG, says spokeswoman Jaclyn Falkowski. In 2009, Connecticut reached a settlement with Bank of America, including a $350,000 penalty, after an internal breach at its former Countrywide Financial Corp. unit resulted in the theft and compromise of millions of Countrywide customers (see Countrywide Sued For Data Breach).
"The settlement is notable because Citibank did the right thing and agreed to have a third party come in and conduct an audit to make sure that its systems are secure," Falkowski says. "That cooperation and openness is commendable, and we hope it will help protect consumers even more going forward."
Falkowski also says the monetary settlement with Citi is "commensurate with other data breach settlements based on the number of individuals affected."
The Breach
The Connecticut attorney general's statement offered some limited insights into how the breach occurred.
"Hackers accessed account information through Account Online by logging in with an account number and password, and then modifying a few characters in the resulting Universal Resource Locater (URL) bar in a browser in order to access additional accounts. "This vulnerability was known to the company at the time of the breach and may have existed since 2008."
In a statement, Citibank notes: "At the time of the incident in 2011, we immediately rectified the issue and took steps to notify and protect affected customers. Customer data that is critical to commit identity theft was not accessed, and Citi's credit card processing systems and other consumer banking online systems were not impacted. No customer was liable for any unauthorized account activity that may have occurred."
Citi would not elaborate about what actually caused the breach. But security experts offer some theories.
"I have no facts whatsoever, but the settlement amount is so small, it makes me wonder if Citi was also a victim here, of one or more of its own employees," says Inscoe of Aite Group.
"I have to ponder what a 'known technical vulnerability' means, particularly in light of this very low dollar settlement. Was someone in IT aware of the vulnerability and working with outside hackers? I can't imagine management in any bank being aware of such a situation and not taking steps to correct it immediately. After all, financial fraud that results from a problem such as this affects the bank's bottom line."
But Al Pascual, a financial fraud expert for consultancy Javelin Strategy & Research, says the breach probably had less to do with insiders and more do with weak online authentication practices.
"What this really came down to was that a criminal could have the online credentials for a single Citi account, and upon accessing that account, they could subsequently access many more by changing the Web address in the browser just slightly, thereby circumventing authentication on these other accounts," he says. "This is not typical within an industry with such strong regulation and data security."
But it seems like a likely scenario, given that Citi did not detect the vulnerability for more than three years, Pascual adds. Device identification implemented throughout the banking session might have prevented the breach, he says.
"If all the criminals initially achieved was the pilfering of account information, then their activity was unlikely to raise much in the way of red flags in Citi's system," he explains. "Citi didn't witness fraud occurring as these accounts were being compromised through this vulnerability. Instead, they likely only witnessed the fraud that occurred after the pilfered account information had been sold to other criminals. Unfortunately, this could explain why it took so long to detect."