2013 Awards Yearbook

Celebrate the Great
Achievements of 2013


Click on Cover
Page to access

Technology Sectors

Market Sectors

Hackers crack Citigroup computers

Gossels: spear
phishing to come

A data breach at Citigroup may have compromised the personal information of more than 200,000 of the bank's credit card customers.

"During routine monitoring, we recently discovered unauthorized access to Citi’s Account Online," a company spokesman, Sean Kevelighan, explained in a statement on June 9.

"A limited number -- roughly one percent -- of Citi North America bankcard customers’ account information (such as name, account number and contact information including email address) was viewed," he continued. "The customer’s social security number, date of birth, card expiration date and card security code (CVV) were not compromised."

According to the latest annual report of the company, it has some 21 million credit card customers in North America.

"We are contacting customers whose information was impacted," Kevelighan said. "Citi has implemented enhanced procedures to prevent a recurrence of this type of event. For the security of these customers, we are not disclosing further details."

While the information that may have been snatched by the hackers was limited, that doesn't mean that the affected customers of the bank are out of the woods. "Enough data was compromised to enable spear-phishing or some other kind of social engineering attack but not enough to access actual accounts," Jonathan G. Gossels, president and CEO of SystemExperts Corporation in Sudbury, MA, told Government Security News.

Phishing uses email or social networking communications to entice a target to go some place on the Internet where they can be conned out of personal information or infected with malware. When a phishing attack is targeted at specific people, it's called spear-phishing.

Phishers can use the information stolen from Citi to make their solicitations look authentic, Gossels explained. "If they receive a letter or phone solicitation, it's going to look pretty darn good," he said. "It's going to look like this person knows a lot about you."

"This is pretty serious," he added. "It's the secondary effects — the social engineering — that will be the real attacks."

The Citigroup breach is the latest in a string of attacks this year on large corporations including Sony, Lockheed Martin, RSA and Epsilon.

Citi is no stranger to embarrassing disclosures of its customers' personal information. In February, it mailed about 600,000 of its customers' tax documents with their social security numbers printed on the outside of the envelope.