Citigroup admitted on Wednesday that an attack on its website allowed hackers to view customers' names, account numbers and contact information such as email addresses for about 210,000 of its cardholders in North America.
Citigroup did not say how the website, Citi Account Online -- which is used by its customers to manage their cards -- was compromised but that the discovery came through its "routine monitoring." The bank discovered the breach, which was first reported in Thursday's Financial Times, early last month.
[ InfoWorld's Woody Leonhard takes a look at what the latest data security breaches really mean. | Learn how to greatly reduce the threat of malicious attacks with InfoWorld's Insider Threat Deep Dive PDF special report. | Stay up to date on the latest security developments with InfoWorld's Security Central newsletter. ]
Other customer information, such as Social Security numbers, birthdates, card expiration dates, and the three-digit code on the back of the card, were not exposed, the company said.
"Citi has implemented enhanced procedures to prevent a recurrence of this type of event," said Sean Kevelighan, head of communications and public affairs for Citigroup's North America Consumer Banking division in a statement. "For the security of these customers, we are not disclosing further details."
The affected customers are being contacted by Citigroup. However, the Citi Account Online website did not have a notification of the breach on its front page on early Thursday morning.
The Financial Times reported that several card customers only found out about the issue last weekend when transactions using their card were denied, raising questions about Citigroup's notification procedures.
Although hackers may have not gained complete information on cardholders, the contact information is enough for scammers to try and elicit more information through targeted attacks.
The email addresses, for example, could be used to send "phishing" messages asking for other sensitive information which could potentially give identity thieves enough to start committing fraud.
Phishing can also be done over the phone, with the caller impersonating someone in authority and tricking a victim into thinking they're talking to a legitimate financial institution's representative.
Send news tips and comments to jeremy_kirk@idg.com