After issuing a public notice, the effect of the recent Citi breach that allowed cyber criminals to obtain information on customer accounts was found to be underestimated in earlier projections.
Citi (NYSE: C) has issued a public statement that confirmed unauthorized access to over 360,000 Citi customer credit card accounts in North America.
The figure represents a 71% increase from the 210,000 affected accounts – roughly 1% of accounts in North America – previously estimated by Citi.
The statement reiterates customer information including name, account number, contact information, and email address was compromised. “However, data that is critical to commit fraud was not compromised: the customers’ social security number, data of birth, card expiration date and card security code (CVV).”
Citi did not disclose details regarding how hackers were able to gain unauthorized access the Citi Cards Account Online system on May 10, pending an ongoing criminal investigation.
Hackers were able to breach the bank’s online security with a rather ingenious tactic, according to a New York Times report. After logging into a legitimate credit card account, data crooks simply changed the numbers – denoting account numbers – in a page’s URL to allow them to view the account of another customer. They were able to harvest customer data after repeating the process over hundreds of thousands of accounts.
After confirming the impacted customer accounts on May 24, notifications were sent along with replacement credit cards starting June 3. Citi says that 217,657 credit cards were reissued.
A large portion of affect customers did not receive replacement credit cards “if the account is closed or has already received new credit cards as a result of other card replacement practices.”
The states with the most impacted customers were California (80,454) and Texas (44,134).