Citibank hacked – customers lose out.

The news about various large scale corporations falling under the onslaught of hackers continues to come out.

Last week it was revealed that Citibank’s security had been breached with potentially massive implications on its customers. While banks are always going to be high risk businesses, we have come to expect that they have robust security in place. It seems this is not the case.

From International Business Times:

Citibank announced approximately 200,000 credit card customers in North America have had their names, account numbers and email addresses stolen via a hack to their online account site. Citibank, which has issued 21 million credit cards in North America, said the hack affected only one percent of its customers. The bank said it is in the process of contacting those customers.

From the Sun Chronicle:

Citigroup’s disclosure that the names, account numbers and email addresses of 200,000 of its credit card customers were stolen strikes at the core of modern-day financial life – the ways people buy groceries and pay the power bill.

Citi says all of the customers whose information was stolen will receive a notification letter, and most of them will get a new card, although it has declined to say exactly how many. The bank says its enforcement division and authorities are investigating. The victims will have to endure the hassle of updating the credit card numbers on any number of online accounts, but they probably won’t lose any money.

It is unlikely that anyone outside the incident team that deals with this will ever fully know how the hack happened, however we can still take away the obvious lessons.

Even in large multinationals where security is key to the business, it is easy for the organisation to slip into bad habits. All too often security is seen as a “cost” to the business and, as a result, it can be quick to cut it. Equally as business change is underway, there will always be pressure from stakeholders to cut corners, and take risks. This is often presented as something the business needs to keep functioning and keep generating profits.

When a business skips on security, this is what happens.

The costs to Citibank from this are likely to be in excess of US$2million for sending out notifications alone. The cost of replacing the cards is probably not that much but may be close to another US$1m. If any of the details were used for fraudulent transactions, Citi is probably going to have to cover that but we cant estimate this cost. They will have to spend more investigating and fixing the problems and the reputational damage is incalculable. At a very rough guess, this could have cost the business in the region of US$5m, not including the effects on its reputation in the eyes of its customers.

The important question now is did they save this much by taking short cuts with security? For most businesses, the answer is a sad no. Could your business survive this sort of loss?

Some things to keep in mind when you assess how you would deal with this sort of thing:

  • Prevention is ALWAYS better than a cure. When you have been breached, everything is suddenly more expensive. For example, rather than having a security advisor at your leisure, you have to pay top rates to get one immediately.
  • Things you think might be too expensive now, are just as expensive after the breach but you now have to find the money for them as well as pay to fix the damage caused.
  • Security enables your business to function. Never be fooled or put off by people complaining that it is restricting them earning money, security is there to protect your profits in every action.

As always, this is a good opportunity for you to organise a business risk management meeting to determine what your vulnerability to a similar event is. Your base risk is no greater now than it was before the Citibank hack, but if you fall to a similar attack, the reputational damage is now much more. If you want independent, external, advice, get in touch with Halkyn Security Consulting and we can help you develop you risk strategy, assess your current posture and develop sound remediation strategies in the most cost effective manner.

Dont scrimp on security, but also dont waste money on smoke and mirrors. Get the right advice.


Taz Wake - Halkyn Security

Certified Information Systems Security Professional with over 19 years experience providing in-depth security risk management advice to government and private sector organisations. Experienced in assessing risks, and producing mitigation plans, worldwide in both peaceful areas and war zones. Additionally, direct experience carrying out investigations into security lapses, producing evidential standard reports and conducting detailed interviews to ascertain the details of the incident. Has a detailed understanding of the Security Policy Framework (SPF) and JSP440, as well as in depth expertise in producing cost-effective solutions in accordance with legislative and regulatory guidelines. Experienced in accrediting establishments and networks as well as project managing the development of secure, compliant, workable business processes.