Citigroup hacked: data for 200,000 or more US Citibank customers breached

Citigroup Inc. says hackers accessed credit card data for some 200,000 US customers. The online security breach was first discovered in May, and reported yesterday by the Financial Times (which blocks access via an onerous paywall). "The bank said it recently discovered during routine monitoring that account information for about 1 percent of customers was viewed." AP, Reuters. As The Atlantic notes, the breach may be a lot worse than Citi's letting on. But even if the damage was limited to 200,000 users, that's a breach of 1% of all North American customer accounts (21 million). Washington Post item here.


  1. Any news on who was behind it? Only had a quick skim of the linked articles so I apologise if I missed it.

  2. My local credit union has never been hacked for the secure data of its customers.

    Just saying.

    1. My local credit union has never been hacked for the secure data of its customers.

      Good for you!

      Not to mention using a local credit union is what every other patriotic American should be doing if they really want to stop these “too big to fail” bullshit operations from having so much power in Washington, D.C. and keep screwing the rest of us.

      I think if more people watched this, they’d understand why choosing a large bank is basically an act against America.

      Want to stop financial terrorism against America? Pull your money OUT of them, America.

  3. Is there any way on earth now that we can avoid losing our information to stupid websites with stupid bad internet security? If we want to live in the modern world and bank and stuff, of course.

    I just rushed over to change my password, don’t know how much it will help.

    FWIW, here are the inane password requirements Citibank forces you to follow:

    To create a secure password for your account, follow these quick and simple Password Guidelines:
    * Must include a combination of letters and numbers only // ok, so explicitly disallowing other characters — which are no harder to store or hash!!! — makes us less safe
    * Must be 6 to 12 characters // setting a top limit of 12 characters — what, 13 characters is too big to store on your server??? — makes us less safe
    * Cannot begin with a zero // adding arbitrary rules limits the number of passwords, making us less safe
    * Cannot include spaces // a space is just a character — it’s no harder to store or hash — excluding it makes us less safe
    * Cannot have more than 2 consecutive characters (for example, 222 or MMM, etc) // adding arbitrary rules limits the number of passwords, making us less safe


      1. And I tried a 16-character password and it seemed to stick.

        So not only do they have the worst restrictions on picking passwords — almost every one of which makes your password less secure — but they don’t bother to implement their own restrictions. Somehow that makes me feel worse.

        Hmmm… what do you bet that the idea was “wait! What if we need to tell people their passwords over the phone! We can’t use zeros, what if we read them as O’s? And how are you supposed to pronounce characters like ^ anyway — we need to ban those. And no one wants to have to read out a 13-character password!”

        1. Actually, I have a friend who works in customer service (not at citibank) and you would not believe the things she’s heard people call the @ character. Like “epsilon,” “the letter kitten,” and “strudel sign.”

        2. Yes, such a system would prioritize reading-out-account-passwords-over-the-phone-to-whomever-is-calling over account security.

          Which would be consistent anyway.

          There is no reason why a bank should ever read out your password over the phone. In fact, there’s no reason a bank should ever have your plain text password in the first place. Is the one-way hash dead these days?

          1. No, i think forums still use it :D. Basically, the least important, least formal places on the internet are more secure than the most important.

  4. I stopped doing business with Citibank three years ago, after my card data was stolen for the third time. On that third occasion, fraudulent transactions began appearing on a newly-issued debit card DAYS BEFORE THE CARD WAS ACTIVATED. I concluded that (a) Citi’s security was fucked; or (b) Citi itself was engaging in broad-scale intentional fucking of its customers; or (c) both.

    Switched entirely to my credit union. Zero problems since then.

  5. Damnit, there were supposed to be line breaks in that bulleted list. I meant to click preview, I swear!

    Anyway, I see now it’s supposed to just be credit card information. Since I would never willingly be a Citi customer for anything (my mortgage was transferred to them, out of my control), I feel a little safer.

  6. If you think Citibank’s password rules are inane, look up the ones for American Express. For some stupid reason you can’t have a password over 8 characters long with them.

  7. Credit union member here. You couldn’t wish for better customer service, especially if you need to call up and talk to a human. I usually get people I’ve talked to before.

  8. Is it me or have there been more hackings of these big institutions? I wouldn’t be surprised to see it was Lulzsec.

  9. WARNING: My co-worker has a Citibank account, and she just discovered that their remedy is to switch customers to a new account… and then charge them $100 for doing so.

    Any of you out there w/ Citibank accounts, take heed.

    I bet the Citibank employee who came up with that policy got a raise.

  10. I see they’re trying to sneak this in when people are paying attention to sony’s fail, seeing as it happened in may and we’re 1/3 of the way through June. So, this company had 20,000 accounts compromised and didn’t tell anyone until at least a week or more likely several had passed.

    Yep, confirmed for sony-tier security and service.

  11. I, too, like my credit union, but come on folks- do you think their online security is any better? The size of the corporation doesn’t matter as much as you think it does when it comes to online security.

Comments are closed.