• United States



This isn’t the first breach in Citigroup’s history

Jun 09, 20114 mins
Data and Information Security

A look into some older articles reminds me that Citigroup been the victim of a security breach before. Only last time, it was Citicorp.

First, a little history lesson with help from Wikipedia:

Citigroup Inc. (branded Citi) (NYSE: C, TYO: 8710) is an American multinational financial services company based in New York City. Citigroup was formed from one of the world’s largest mergers in history by combining the banking giant Citicorp and financial conglomerate Travelers Group on April 7, 1998.

Fast-forward to 2011 and today’s news that Citigroup has suffered a huge data security breach. From my Network World colleague Ellen Messmer:

Citigroup has acknowledged that hackers broke into its network and stole credit-card information related to tens of thousands of customers in North America, according to several reports.

Hackers gained access to Citi’s Account Online Service to view customer names, account numbers and contact information, including email addresses, according to the Financial Times, which first reported it, along with the Associated Press and Reuters.

Citi is contacting customers whose personal data was stolen, though Citi is saying that data did not include birth date, Social Security number, card expiration dates and card security codes. The breach is said to impact about 200,000 bank cardholders in North America.

As I stood in line at Starbucks this morning, just after reading the story, I remembered an interview I did in 2005 with Colin Crook, former CTO of Citigroup back when it was Citicorp.

You might remember that 2005 was the year people really became aware of the security breach problem, with ChoicePoint as one of the first poster kids for bad behavior.

With breaches making the news daily, Crook decided to tell a conference audience about a breach Citicorp suffered 12 years prior. If I’m doing my math correctly, we’re going back to 1993, when the Internet was still a baby.

I was working for TechTarget at the time, and here’s a snippet of my exchange with him:

What happened at Citicorp 12 years ago?

Someone was able to get into the cache management system. There were millions of dollars at stake and it was a great trauma for all of us. We knew the source was in Eastern Europe, but we didn’t know if it was from an unskilled hacker or a government organization. I was really worried that it might have been the KGB.

What steps did you take once the breach was discovered?

We called in the FBI. Tsutomo Shimamura came in to help as well. He’s the white hat who helped lead the feds to Kevin Mitnick [a hacker who spent five years in federal prison. He has since become a successful consultant, author and speaker]. Mitnick hacked into Tsutomo’s computer and left a message essentially saying, ‘Nananananana — I’ve broken into your computer.’ Tsutomo found Mitnick’s signal and tracked him down, leading the feds to him.

There’s an amusing side story to this: Tsutomo comes in to help us figure out what happened and our receptionist tried to turn him away. He was wearing blue satin shorts, a t-shirt with mathematical equations all over it, a crash helmet and rollerblades. The receptionist motions him away, saying, ‘We don’t take deliveries here.’ She thought he was a delivery boy!

None of this has any real bearing on today’s news, of course, and it’s certainly not meant as a dig toward Mitnick, who is many more years into a more reputable existence as a security consultant. But it part of history.

It goes to show that companies have been dealing with things like this since the beginning, and many companies — like Citigroup — get hit more than once.

Luckily for me, I paid off and shredded my Citi credit card some time ago.

–Bill Brenner

Sign up today.

Get your morning news fix with the daily Salted Hash e-newsletter!