Citigroup’s revelation that hackers stole personal information from more than 200,000 credit card holders makes it one of the largest direct attacks on a major bank.
The attack reported by Citigroup is one of the largest on a major bank.
Even more striking is that similar data breaches have been occurring for years — and the financial industry has failed to prevent them.
Details remain scarce, but the disclosure of the Citigroup breach on Thursday quickly turned into a debate on whether the banks and major credit card companies had invested enough money to safeguard the personal information of their customers.
“They’re not at all on top of it,” said Avivah Litan, a financial security analyst at Gartner Inc. “It’s almost shocking.”
In Washington, the finger-pointing has already begun. Sheila C. Bair, the chairwoman of the Federal Deposit Insurance Corporation, said on Thursday that she planned to call on some banks to strengthen their authentication procedures when customers log onto online accounts. That’s on top of new data security rules that federal regulators are completing.
Lawmakers, meanwhile, said they were outraged that Citigroup waited since early May to notify its customers; some are preparing legislation.
Representative James R. Langevin, a Rhode Island Democrat, said he was “shocked and disappointed” to learn of Citi’s delayed disclosure. “They knew the customers’ data was potentially exposed in May and only now are they telling them about the threat,” he said. “Being more forthcoming is essential.”
Consumers, meanwhile, are feeling increasingly vulnerable amid recent reports of data breaches at big companies, like Lockheed Martin, Epsilon and Sony.
A. J. Angus, a 25-year-old Google employee, was put in double jeopardy. On Thursday, he learned that his Citi credit card data had been stolen. Only a few weeks earlier, he learned that personal data on his Sony PlayStation 3 was compromised.
“You have to be vigilant,” he said, adding that he periodically checks his credit report and looks over his transactions almost daily on a personal finance Web site.
Last Friday, almost a month after it discovered that hackers had gained access to its computer systems, Citigroup began notifying about half of the 200,000 affected customers that it planned to replace their credit cards. The bank said that the thieves had obtained customer names, card numbers, addresses, and e-mail details.
Social security numbers, expiration dates and the three-digit code found on the back of most credit cards were not compromised — a move that security experts say makes the exposed cardholders less likely to become fraud victims.
Neither Citigroup’s debit card business nor its online banking operations were breached.
“Citi has implemented enhanced procedures to prevent a recurrence of this type of event,” the company said in a statement.
The intrusion is not all that unique. Over the last six years, there have been 288 publicly disclosed breaches at financial services companies that exposed at least 83 million customer records, according to the Identity Theft Resource Center.
Credit card industry officials say security issues go to the heart of their brands and they are trying to keep up with ever-more sophisticated criminals.
“We’re not dealing with 14-year-old hacker kids,” said Steve Elefant, the chief information officer at Heartland Payment Systems, which overhauled its security measures after the systems it used to process credit and debit card transactions were hacked in 2008. “We’re talking about 21st-century bank robbers — sophisticated, organized criminal gangs, located mostly in Eastern Europe and the U.S.”
Making matters worse, nearly every step along the payment chain is outsourced from the time a card is swiped to the time a monthly statement arrives, leaving plenty of openings for enterprising thieves. Security is further hampered by a patchwork of data protection laws and regulatory agencies, each with limited mandates.
“We need a uniform national standard for data security and data breach notification,” said Representative Mary Bono Mack, a California Republican who is pushing for legislation on better consumer safeguards. “In the meantime, regulators need to do a better job of being a consumer watchdog.”
Big credit card lenders are loath to acknowledge another reason that the breaches keep happening: they are in the business of reducing the financial losses stemming from fraud, not preventing data theft in the first place. As a result, analysts say, they have devoted the bulk of their resources to trying to stop fraudulent transactions from occurring.
“Data breaches are one thing,” noted David Robertson, the publisher of The Nilson Report, a payments industry newsletter. “Acting on that information is another, and the systems in place to catch fraud when it is trying to be perpetrated are extremely good.”
Indeed, while the thieves have gotten more skilled, the amount of money the banks have lost to fraud has actually stayed the same over the last six years — and has sharply fallen since the early 1990s. Today, fraud costs the banks about 5 cents for every $100 that is charged, compared with 15 cents for every $100 in 1992, according to Nilson data.
Merchant advocates, meanwhile, say the banks have little incentive to reduce it more because, in some cases, it can be a source of income. Not only do they take in hefty charge-back fees from merchants — sometimes $25 or more for each fraudulent purchase — but in many cases retailers must swallow the cost of the item fraudulently purchased.
Preventing data theft from occurring seems to be a lower priority. After the huge credit card data breach of a payment processor in 2005, the major credit card companies banded together to form a set of security standards for the industry. But six years on, compliance with those rules has been mixed. Although virtually all of the 1,000 biggest merchants meet those requirements, far fewer than 60 percent of the millions of mom-and-pop retailers and online merchants do, according to Visa data.
Other proactive steps have also fallen by the wayside because of their cost. In Europe and Asia, most credit and debit card issuers have switched to cards that use small chips embedded inside the plastic that do a better job protecting transaction data. In the United States, the banks and card companies have not adopted the technology, reasoning that retailers are unwilling to spend heavily to upgrade their existing card readers.
Likewise, some security experts say encrypting data as it flows across the entire payment network would make data far less vulnerable to being extracted by thieves. However, only a tiny fraction of merchants and processors have upgraded their systems.
Mr. Elefant said the industry needed to adopt the encryptions technology more quickly. “Unfortunately, some companies look at breaches as the cost of doing business,” he said. “That’s not the right way to look at it. You need to be as secure as you possibly can be.”
Others suggest the banks need to do more to enlist their customers, like providing more regular fraud alerts and giving them more control to turn on and off their credit cards.
“What they don’t do enough of is engage the identity holder in the war against fraud,” said James Van Dyke of Javelin Strategy and Research, a payments consulting firm. “They greatly prefer to wage this battle solo.”
Tara Siegel Bernard, Riva Richmond and Nelson D. Schwartz contributed reporting.
This article has been revised to reflect the following correction:
Correction: June 10, 2011
An earlier version of this article misstated the date when Citigroup began notifying customers affected by the hacking incident that it planned to replace their credit cards. It was last Friday, not Thursday of this week.