Here’s an exciting story: Citigroup Credit Card Portal Breach Compromises 200,000 Customers – Security – News & Reviews – eWeek.com.
Cyber-attackers have breached financial giant Citigroup’s Web portal and gained access to customer credit card information. The company said the most sensitive information remained safe.
The perpetrators broke into Citi Account Online and viewed customer names, account numbers and some contact information such as email addresses, Citigroup said in a statement June 9. Social Security numbers, birth dates, card expiration dates and the security codes generally found on the back of the credit cards were not compromised as they are stored elsewhere.
Now they know real customers’ contact info, and can phish away, if not fabricate new identities from it.
While 200,000 sounds “kind of small” when compared to what happened in recent breaches, such Sony’s 100 million, the number of records compromised is “not the important thing here,” Anup Ghosh, founder and chief scientist of Invincea told eWEEK. “It’s the loss of faith in the institution’s ability to protect us,” Ghosh said.
Financial institutions are “principal” targets for cyber-criminals, according to Brendan Hannigan, CEO of Q1 Labs. “Security trust means more than just making sure you’re in compliance with regulations,” Hannigan told eWEEK.
I’d sincerely hope Citibank is PCI DSS compliant, but as they said, it’s a baseline, not an ultimate goal.
Citi discovered the hacking incidents in early May during routine monitoring, according to The Financial Times, which broke the story June 9. Citigroup likely had spent the time trying to “quantify what was touched and what had happened,” Ghosh said.
Watch those logs!
Citigroup global enterprise payments head Paul Galant, who previously ran the bank’s credit card unit, told Reuters in April that security breaches are a fact of life for financial institutions. However, companies need to be “thinking like hackers do,” Mark Hatton, president and CEO of Core Security, told eWEEK, noting that deploying defensive technologies and hoping they keep the bad guys out is “clearly not working.”
Businesse (sic) are relying on defense mechanisms that were “developed in the last century” and have not changed since then, while attackers are creating new threats and “evolving every day,” said Ghosh.
Coincidentally, Martin covered this very idea in a recent post: Fundamental flaw in thinking: We’re responsible.