Citibank, the consumer and corporate banking arm of Citigroup Inc., confirmed Wednesday that the bank and its customers were the victims of a third-party company information breach that has forced the bank to block PIN-based transactions for customers in Canada, Russia, and the U.K.
The bank did not disclose when the breach occurred. Once alerted to the breach, the company "began enhanced monitoring of the affected accounts for fraud" and in mid-February detected several hundred fraudulent cash withdrawals in the three countries, the company said in a statement. Citibank proceeded to block all transactions in those countries that rely on PIN authentication.
"We are in the process of contacting affected customers individually and issuing new cards," the company's statement said. "We can provide new cards to customers affected by this third-party breach anywhere in the world they may be traveling."
Citibank would not name the third-party business whose systems were breached. The bank also did not specify how or when its affected customers were notified that they could no longer make PIN-based transactions. Some Citibank customers have used blogs to relate their experiences dealing with the bank. One Canadian, through a blog entry dated March 5, noted that he found out about the problem after an ATM transaction was denied, rather than through official notification from his bank.
This is not Citigroup's first brush with data insecurity. In June, the bank revealed that a box of unencrypted tapes containing information on 3.9 million customers was lost in transit. Citigroup shipped the box May 2 via UPS Inc., but it never arrived at its destination, an Experian credit bureau in Texas. The tapes contained names, Social Security numbers, account numbers, and payment histories of CitiFinancial customers.
Citigroup is by no means alone in its inability to protect customer data. In fact, the list is extensive, and growing. Ameriprise Financial in January revealed that unencrypted data, including Social Security numbers of 226,000 customers and employees, was stolen from a laptop. Some H&R Block customers rang in the New Year by finding out that their Social Security numbers were included in the tracking number used to mail them packages containing the company's TaxCut software. Kaiser Permanente last year was fined $200,000 for a data breach that affected 150 customers.
These highly publicized embarrassments are beginning to have some affect on how companies handle customer data. In February, Citigroup, Bank of America Corp., Bank of New York Co., J.P. Morgan Chase & Co., U.S. Bancorp, and Wells Fargo & Co., plus major auditors and service providers, released a common methodology that financial services companies could use to assess service-provider security. BITS, a consortium backed by the financial-services industry, developed the methodology after studying service providers including Acxiom, First Data, IBM, Viewpointe Archive Services, and Yodlee. The goal is to give service providers consistent demands and make them live up to them. Banks are cooperating because they know the alternative: fines, lawsuits, and a tarnished image that can't be easily fixed.