Citigroup claims that the reason why they waited three weeks to publicly declare the security breach is because they were conducting the investigation and sending out replacement credit cards.
Update 6/16/11: Citibank said today that a total of 360,083 accounts were actually affected by the breach in May.
While Citigroup insists that these are viable reasons to delay revealing the hack, what customer would like to receive a new credit card in the mail accompanied by a letter stating the old was has been hacked and should be destroyed? This hardly inspires confidence, even for non-hacked customers. With the speed of technology allowing information to be available online in an instant, companies, especially financial institutions, cannot wait three weeks to divulge such a breach.
Citigroup (NYSE: C) released the security breach to the public last Thursday, saying it affected about 200,000 customers, or 1% of the company’s 21 million North American credit card customers. The information included card numbers and contact information including email addresses. While Citigroup has been criticized for the length of time they waited before alerting customers of the breach, the internal investigation took about 12 days apparently forcing Citigroup to withhold the information.
With large global companies having underlying lax security standards, probably in order to maintain accessibility for its customers, it is becoming easier for motivated hackers to make their way in. Additionally, with success from previous attacks such as those on Sony and Capital One, hackers are probably becoming more confident and motivated.
However, while electronics company Sony waited only one week before alerting the public of the breach, a questionable delay as it is, Citi did not issue any warnings about the breach for several weeks. With the agitation people normally associate with their personal finance security, even lawmakers feel that companies must be forthright with data breaches.
This week the Personal Data Privacy and Security Act has been introduced, and if passed this kind of secrecy will become a crime, replacing the many disparate state laws now in place with a national procedure for reporting hacks.