Citigroup breach exposed data on 210,000 customers

Citigroup admitted on Wednesday that an attack on its website allowed hackers to view customers' names, account numbers and contact information such as e-mail addresses for about 210,000 of its cardholders.

Citigroup did not say how the website, Citi Account Online -- which is used by its customers to manage their cards -- was compromised. The bank discovered the breach, which was first reported in Thursday's Financial Times, early last month.

Other customer information, such as Social Security numbers, birthdates, card expiration dates and the three-digit code on the back of the card, were not exposed, the company said.

The affected customers are being contacted by Citigroup. However, the Citi Account Online website did not have a notification of the breach on its front page on early Thursday morning.

The Financial Times reported that several card customers only found out about the issue last weekend when transactions using their card were denied, raising questions about Citigroup's notification procedures.

Although hackers may have not gained complete information on cardholders, the contact information is enough for scammers to try and elicit more information through targeted attacks.

The e-mail addresses, for example, could be used to send "phishing" messages asking for other sensitive information which could potentially give identity thieves enough to start committing fraud.

Phishing can also be done over the phone, with the caller impersonating someone in authority and tricking a victim into thinking they're talking to a legitimate financial institution's representative.

Send news tips and comments to jeremy_kirk@idg.com