Story updated with a statement from Rep. Langevin.
NEW YORK (
(C - Get Report)
customers' personal information and account numbers were exposed to hackers for several weeks and industry experts are questioning why the bank waited until today to reveal the breach.
Michael Dunne, a partner at Day Pitney, says that banks do not have a specific time frame when they need to notify customers of a security failure, although they are required to do so by law at some point.
"Each financial institution is supposed to notify customers of a data breach promptly, but there may be reasons for a delay," Dunne says. "One reason is they may have coordination with law enforcement. But generally you release a notice to customers right away, like the day after."
"I think regulators really need to step it up. All companies have to disclose when their data is breached, but banks seem to be an exception to the rule," said Gartner Research analyst Avivah Litan."There are no uniform disclosure laws. It is really just a patchwork of state laws and some banks have to report and others do not."
According to an article in the
Citi discovered the breach in "early May" during routine monitoring.
A Citigroup spokesperson said that it immediately took a look at how the breach would impact customers and," wanted to validate the situtation to figure out the best way to repond to customers" when news of the breach leaked.
How a bank reacts internally to contain any fraud following the discovery of a security failure is also key.
"Financial institutions will always be targeted by hackers, and some of those attacks are going to succeed no matter how much you invest in security measures," says Celent analyst Zilvinas Bareisis. "Financial institutions need to think not only how to prevent attacks, but also take measures to ensure that if the attack is successful, the impact is minimized, for example by segregating information."
The hackers were able to access information a small percentage of the bank's 21 million customers in North America, the FT reported.
"During routine monitoring, we recently discovered unauthorized access to Citi's Account Online. A limited number - roughly one percent - of Citi North America bankcard customers' account information (such as name, account number and contact information including email address) was viewed," said a Citigroup spokesperson.
Citigroup said that customers social security numbers, birthdays or card security codes were not exposed in the attack and that it was sending out notices to customers whose security was compromised.
Litan said that this hack was unique, in that this is the first time she can think of a bank that was hacked through its website.
"I'm guessing that the hacker got in through an employee email account like Gmail," she said. "I think businesses really have to face a penalty for breaches. Regulators have failed to address this issue."
Rep. Jim Langevin (D-RI), co-founder of the Congressional Cybersecurity Caucus put a statement out on his website, stating that he was, "shocked," to learn about the incident and how Citigroup responded.
"Citigroup knew that their customers' data was potentially exposed back in early May, but is only now, a full month later, informing the public about this threat to their personal information," Langevin said. "The government must also work harder to be good stewards of the public's personal data. Many of our federal systems with large amounts of personal data are outdated, with inadequate security practices."
Citigroup's customer data was also
exposed in April
when Epsilon reported that they had been hacked. Epsilon manages email for banks such as Citigroup,
--Written by Maria Woehr in New York.
To contact the writer of this article, click here:
To follow the writer on Twitter, go to
To submit a news tip, send an email to: