At least I don’t have to use the “S” word today! A New York Times story reports that Citigroup has disclosed that it had suffered a data breach that disclosed information about approximately 1% of its North American credit card holders. Based upon Citi’s annual report this would be about 210,000 affected customers.

According to the article Citi will be notifying affected users via mail… not email. It is important for people to understand that this is how banks work. Notifications of this sort of attack via email virtually always are indicative of a phishing attack. Because compromised data included “customers’ names, credit card numbers, addresses and e-mail addresses” this potentially puts those users at a higher risk of being phished for information about the new credit cards they receive. If users will follow the simple rules I provided at https://www.welivesecurity.com/2011/06/01/gmail-accounts-under-attack they will easily repel such attacks. Never follow a link in a banking email and if you do follow it anyway, do not log in.

Recent reports of politically motivated hacks should not lead anyone to believe that the financially motivated hacks have gone away. Financial institutions are under attack every day of the year, however they have a lot more experience combating such attacks than most any other sector. It is still rare for financial institutions to report a breach, but when 200,000 customers have to be notified of a problem it becomes difficult to hide an incident.

Citi claims to have put new procedures into place to prevent the type of breach that did occur from happening again. This is the history of crime and crime prevention. We learn from the attacks, block the vector and the criminals will find a new attack vector.

Randy Abrams
Director of Technical Education
Cyber Threat Analysis Center
ESET North America