In 2011 (dubbed “The Year of the Hack”), the third largest bank by assets at the time, Citigroup Inc, suffered a major attack by hackers. By sheer size and vast amount of wealth, Citigroup was an attractive target for hackers.
Sometimes the biggest hacks are the most simple, as was in the case of the Citigroup breach. Using Citigroup’s customer website as a point of entry to get passed traditional security defenses and to impersonate credit card holders, a group of sophisticated hackers broke into the bank’s vault of data/financial information – navigating for months before being detected.
The witty thieves leapfrogged between the bank accounts of various Citi customers by inserting different account numbers into the string of text found in the browser’s address bar. The hackers wrote code that would repeat this process several hundreds of thousands of times which was the primary method of data collection. By hacking standards, this was a simple job to execute, but its genius lies in using an overlooked gateway – the website’s vulnerabilities to get in.
By the time theft was realized, approximately 360K of the North American Citigroup’s accounts were effected by the breach. Customer names, account numbers, and contact information were accessed, but the company maintains that critical data to commit fraud was not compromised such as expiration dates and 3 digit card security codes.
Approximately 217K customers were reissued cards and given a notification letter, while the other remaining accounts were fortunately inactive. Notification was not issued until about 9 days after the breach was discovered. It took about 7 days after discovery to identify the effected accounts which was comprised of about 1% of the 21 million North American Citigroup customers. Ultimately, the total loss from the theft resulted in a $2.7 million loss for the company.
The Data Breach Market is Growing:
In 2011, many security pundits were scratching their heads wondering why so much hacking was happening. Experts answered that due to the increased amount of information being stored online, there is a correlation to the increased number of cyber attacks.
Hackers are not just interest in just stealing money, with critical information such as contact information and ID numbers, they can sell the raw materials on the black market, a market that has been valued in the billions. The black market started small but has been growing into a much more sophisticated marketplace saturated with brokers selling information on the internet bazaars. Criminals then use the stolen information to impersonate credit card owners and to buy merchandise.
In addition, many organizations are not taking cyber security very seriously, which leaves numerous vulnerabilities, and this is just too attractive for the hackers to ignore.
- The biggest lesson from the Citigroup breach is to have your website audited by professionals. If Citigroup had audited the site and repaired the vulnerabilities none of this would have happened.
- A secondary lesson is that Citigroup should have publicized the breach on the day that it occurred. This would have reassured their customers that they are being transparent and taking the matter seriously.
Although, this breach occurred nearly 4 years ago, many of the techniques are still prevalent today. It’s a shame however, how many breaches have occurred since 2011 illustrating the lack of urgency around data theft prevention and security from corporations today. Due to the lack of urgency coupled and the precipitous rate of growth, we are seeing major growth in the “black market.” It will be interesting to see what it will take for companies to put security and risk prevention at the top of their to-do-lists.
Check out our last Throwback Hack blog, The Epsilon Email Breach of 2011.