Nonprofit, nonpartisan journalism. Supported by readers.


Citigroup hacked: What to do if your account was compromised

For individuals, the largest risk is “spear phishing” by the criminals who stole the information. Once they have your data they can send a letter that almost sounds like it came from a financial institution.

Almost everyone has received U.S. mail that comes in with a bank’s return address on the left-hand corner.

You might not want to throw it all in the trash, particularly if you have a Citigroup-issued credit card.

The big bank says it is in the process of notifying more than 200,000 of its bankcard customers — some 1 percent of its total cardholders — who had their accounts hacked, probably in early May when the bank discovered someone was accessing names, account numbers and contact information, including email addresses.

The majority of its customers will receive new credit cards and are not responsible for any fraudulent purchases, says Citigroup spokesman Sean Kevelighan.

Article continues after advertisement

The data breach is the latest in a recent series of major intrusions into the computers of companies such as Sony, bulk mailer Epsilon and RSA, which provides SecureID tokens for Internet security. Security experts say the intrusions show that the hackers are getting more sophisticated and harder to immediately detect since many of the companies had fairly sophisticated systems.

“I am afraid they are going to be more successful in the short term in seizing assets and information and disrupting business,” says Larry Poneomon, head of the Poneomon Institute in Traverse City, Mich. “It is a fait accompli.”

In an annual study, sponsored by Symantec, a computer security company, the Institute found the cost of computer intrusions was $214 per compromised record. If the breach included information such as lost Social Security numbers or personal identification numbers, it cost $353 per record.

Probably, one of the most expensive breaches was the 2005 data break-in at TJX Corp., the parent of T.J. Maxx, the discount retailer. Cyberthieves stole 46.5 million records, including a lot of credit card information. The company says the theft cost it about $160 million through its fourth quarter.

What cardholders should do
For individuals, the largest risk is “spear phishing” by the criminals who stole the information. Once they have an individual’s email address, plus a name, they can send a letter that almost sounds like it came from a financial institution.

Poneomon says the typical letter, written on the letterhead of the financial institution, will ask for passwords, PIN numbers, and other sensitive data that would normally not be given to anyone. “These are high-probability attacks,” he says, “that lead to a set of information that can be monetized.”

In Citi’s case, the bank says it will send out notification letters to people who have had their accounts compromised. The bank does not normally notify people by email.

“If you get an email from Citi, assume it’s a fake,” says Poneomon.

Fortunately, the customers’ Social Security numbers, dates of birth, card expiration data and card security codes were not part of the theft.

Article continues after advertisement

Call Citi for ‘peace of mind’
Nonetheless, credit card expert Bill Hardekopf of says if someone wants “peace of mind,” they might call Citi to ask if their card was compromised.

“Candidly, if your account was not affected, you don’t have anything else to do,” he says. “If your account was not hacked, you don’t need to push the panic button.”

On an ongoing basis, Hardekopf suggests changing passwords on a regular basis, monitoring debit and credit-card activity, and not emailing confidential information such as your mother’s maiden name, your birth date and your pet’s name.

Attacks from afar
Although the data breaches are taking place so often, many of the hackers elude the criminal justice system. That’s because they can be operating anywhere in the globe from Eastern Europe to China to Vietnam.

“The odds are good they are somewhere far away,” says Poneomon.

As for Citi, it says it has enhanced security so the problem does not happen again.