Citibank To Pay $55K Fine To Settle Data Breach Investigation
Wednesday, September 04, 2013
Just before the long holiday weekend, the State of Connecticut Attorney General's office announced a preliminary settlement agreement with Citibank, N.A. about a data breach at the bank which affected more than 360,000 banking customers. The terms of the proposed settlement include a $55,000 payment to the state, and other specific data-security conditions.
The settlement was finalized after a joint investigation by the California and Connecticut Attorney Generals' offices. The investigation found that:
"... a known technical vulnerability in Citibank’s Account Online Web-based service permitted hackers to access multiple user accounts. Hackers accessed account information through Account Online by logging in with an account number and password, and then modifying a few characters in the resulting Universal Resource Locater (URL) bar in a browser in order to access additional accounts. This vulnerability was known to the company at the time of the breach and may have existed since 2008."
Citibank discovered the data breach on May 10, 2011, but did not permanently fix the vulnerability until May 27, 2011. The bank began notifying affected cardholders on June 3, 2011. Hackers accessed and collected data about 5,066 Connecticut residents.
The $55,000 payment by Citibank includes $15,000 in civil penalties to the state’s Privacy Protection Guaranty and Enforcement Account, and $40,000 to the state’s General Fund to resolve allegations of violation of the Connecticut Unfair Trade Practices Act. Connecticut Attorney General Jepsen said:
"Citibank represented to its customers that its online system was secured, but ultimately the techniques hackers used to obtain individual account information were relatively simple and unsophisticated... This settlement not only ensures that Citibank will be responsive to its customers should this system experience a breach in the future, it also requires the company to review and audit its security protocols.”
Additional terms of the settlement require the bank to hire an independent third-party company to conduct an information security audit of the bank's Account Online system, and report a detailed summary of its findings to the Connecticut Attorney General. Also, the bank must maintain reasonable security procedures and practices to protect Account Online, and provide appropriate notices and free credit-monitoring services for two years to any persons affected by future data breaches with Account Online. The proposed settlement agreement (Adobe PDF) must be approved by the Court.
Comments
You can follow this conversation by subscribing to the comment feed for this post.