Citigroup hacked: What to do if your account was compromised

Some 200,000 of Citigroup's bankcard customers had their accounts hacked. Most won't be responsible for fraudulent purchases, but cardholders should still take precautions.

The Citibank logo is shown on a branch office in this April 11, 2007, file photo taken in New York. Citigroup Inc. said Thursday that hackers have accessed the credit card information of tens of thousands of its North American customers.

Mark Lennihan/AP/File

June 9, 2011

Almost everyone has received US mail that comes in with a bank’s return address on the left-hand corner.

You might not want to throw it all in the trash, particularly if you have a Citigroup issued credit card.

The big bank says it is in the process of notifying more than 200,000 of its bankcard customers – some 1 percent of its total cardholders – who had their accounts hacked, probably in early May when the bank discovered someone was accessing names, account numbers, and contact information, including e-mail addresses.

The majority of its customers will receive new credit cards and are not responsible for any fraudulent purchases, says Citigroup spokesman Sean Kevelighan.

The data breach is the latest in a recent series of major intrusions into the computers of companies such as Sony, bulk mailer Epsilon, and RSA, which provides SecureID tokens for Internet security. Security experts say the intrusions show that the hackers are getting more sophisticated and harder to immediately detect since many of the companies had fairly sophisticated systems.

“I am afraid they are going to be more successful in the short term in seizing assets and information and disrupting business,” says Larry Poneomon, head of the Poneomon Institute in Traverse City, Mich. “It is a fait accompli.”

In an annual study, sponsored by Symantec, a computer security company, the Institute found the cost of computer intrusions was $214 per compromised record. If the breach included information such as lost Social Security numbers or personal identification numbers, it cost $353 per record.

Probably, one of the most expensive breaches was the 2005 data break-in at TJX Corporation, the parent of T.J. Maxx, the discount retailer. Cyberthieves stole 46.5 records, including a lot of credit card information. The company says the theft cost it about $160 million through its fourth quarter.

What cardholders should do

For individuals, the largest risk is “spear phishing” by the criminals who stole the information. Once they have an individual’s e-mail address, plus a name, they can send a letter that almost sounds like it came from a financial institution.

Poneomon says the typical letter, written on the letterhead of the financial institution, will ask for passwords, PIN numbers, and other sensitive data which would normally not be given to anyone. “These are high probability attacks,” he says, “that lead to a set of information that can be monetized.”

In Citi’s case, the bank says it will send out notification letters to people who have had their accounts compromised. The bank does not normally notify people by e-mail.

“If you get an e-mail from Citi, assume it’s a fake,” says Poneomon.

Fortunately, the customers’ Social Security numbers, dates of birth, card expiration data, and card security codes were not part of the theft.

Call Citi for 'peace of mind'

Nonetheless, credit card expert Bill Hardekopf of LowCards.com says if someone wants “peace of mind” they might call Citi to ask if their card was compromised.

“Candidly, if your account was not affected, you don’t have anything else to do,” he says. “If your account was not hacked, you don’t need to push the panic button.”

On an ongoing basis, Mr. Hardekopf suggests changing passwords on a regular basis, monitoring debit and credit-card activity, and not e-mailing confidential information such as your mother’s maiden name, your birthdate, and your pet’s name.

Attacks from afar

Although the data breaches are taking place so often, many of the hackers elude the criminal justice system. That’s because they can be operating anywhere in the globe from Eastern Europe to China to Vietnam.

“The odds are good they are somewhere far away,” says Poneomon.

As for Citi, it says it has enhanced security so the problem does not happen again.