State of Connecticut v. Citibank, N.A.: Citibank has reached a $55,000 settlement with the state of Connecticut after hackers accessed the account information of more than 5,000 bank customers in-state and over 360,000 in North America.
The data breach occurred in May 2011, though the international banker did not report the theft of customers' account information until a month later. The hackers reportedly made $2.7 million worth of fraudulent charges using bank customers' accounts.
The settlement follows a joint investigation by the state attorneys general offices in Connecticut and California.
The probe revealed that a known technical vulnerability in Citibank's Account Online web-based service permitted hackers to access multiple user accounts. Hackers accessed account information through Account Online by logging in with an actual user's account number and password, and then modifying a few characters in the resulting Universal Resource Locater (URL) bar in a browser in order to access additional accounts.
This vulnerability, according to officials, was known to Citibank at the time of the breach and may have existed since 2008.
Citibank officials discovered that Account Online had been breached on May 10, 2011, but they did not permanently fix the problem until May 27, 2011, and did not begin notifying affected customers until June 3, 2011.
Account information for more than 360,000 Citibank customers, including 5,066 Connecticut residents, was accessed or obtained by hackers. California was the hardest hit state, reportedly with more than 80,000 customers there affected.
"Citibank represented to its customers that its online system was secured, but ultimately the techniques hackers used to obtain individual account information were relatively simple and unsophisticated," Connecticut Attorney General George Jepsen said in a statement. "This settlement not only ensures that Citibank will be responsive to its customers should this system experience a breach in the future, it also requires the company to review and audit its security protocols."
The six-count civil complaint filed by the state in Hartford Superior Court accused Citibank of violations of the Connecticut Unfair Trade Practices Act for failing to safeguard customers' account information and for diagnosing the potential breach in 2008 but not remedying the situation until after a security breach actually occurred.
Citibank issued a statement acknowledging the data breach.
"At the time of the incident in 2011, we immediately rectified the issue and took steps to notify and protect affected customers," said the statement. "Customer data that is critical to commit identity theft was not accessed and Citi's credit card processing systems and other consumer banking online systems were not impacted. No customer was liable for any unauthorized account activity that may have occurred."
Citibank's lawyer, Melissa A. Hager, of Morrison & Foerster in New York City, who negotiated the settlement with the state, did not return repeated calls for comment last week.
Under the settlement agreement, Citibank will pay $15,000 in civil penalties to the state's Privacy Protection Guaranty and Enforcement Account, which is used for the reimbursement of losses sustained by individuals injured by certain data breaches and for enforcing the state's data breach laws. An additional $40,000 will be paid to the state's General Fund to resolve the allegations of the CUTPA violations.
Further, Citibank is required to hire an independent third party to conduct an information security audit of Account Online and report a detailed summary of its findings to the state Attorney General. The company will be required to maintain reasonable security procedures and practices to protect Account Online in the future.
Citibank must also provide appropriate notice and free credit monitoring for two years to any individual affected by certain future security incidents involving Account Online.
Assistant Attorney General Matthew Fitzsimmons, head of the state Attorney General's Privacy Task Force, along with its members, Assistant Attorneys General Lorrie Adeyemi and Michele Lucan, assisted Jepsen with the investigation.•