State Settles With Citibank In Data Breach Case
State of Connecticut v. Citibank, N.A.: Citibank has reached a $55,000 settlement with the state of Connecticut after hackers accessed the account information of more than 5,000 bank customers in-state and over 360,000 in North America.
The data breach occurred in May 2011, though the international banker did not report the theft of customers' account information until a month later. The hackers reportedly made $2.7 million worth of fraudulent charges using bank customers' accounts.
The settlement follows a joint investigation by the state attorneys general offices in Connecticut and California.
The probe revealed that a known technical vulnerability in Citibank's Account Online web-based service permitted hackers to access multiple user accounts. Hackers accessed account information through Account Online by logging in with an actual user's account number and password, and then modifying a few characters in the resulting Universal Resource Locater (URL) bar in a browser in order to access additional accounts.
This vulnerability, according to officials, was known to Citibank at the time of the breach and may have existed since 2008.
Citibank officials discovered that Account Online had been breached on May 10, 2011, but they did not permanently fix the problem until May 27, 2011, and did not begin notifying affected customers until June 3, 2011.
Account information for more than 360,000 Citibank customers, including 5,066 Connecticut residents, was accessed or obtained by hackers. California was the hardest hit state, reportedly with more than 80,000 customers there affected.
"Citibank represented to its customers that its online system was secured, but ultimately the techniques hackers used to obtain individual account information were relatively simple and unsophisticated," Connecticut Attorney General George Jepsen said in a statement. "This settlement not only ensures that Citibank will be responsive to its customers should this system experience a breach in the future, it also requires the company to review and audit its security protocols."
The six-count civil complaint filed by the state in Hartford Superior Court accused Citibank of violations of the Connecticut Unfair Trade Practices Act for failing to safeguard customers' account information and for diagnosing the potential breach in 2008 but not remedying the situation until after a security breach actually occurred.
Citibank issued a statement acknowledging the data breach.