Citigroup Faces Class-Action Lawsuit for May Breach

Monday, October 10, 2011



Citigroup is facing the prospect of a class action lawsuit over allegations that the company did not adequately secure sensitive data, and that the company made little to no efforts to mitigate risks for customer after the breach was discovered.

Citigroup confirmed in June that an unauthorized network access event in May had compromised the private account details of over 360,000 of North American banking clients, or about 1.5% of their clientele in that market.

Kristina and Steven Orman of Northport, New York, filed the suit in a Manhattan federal court last week, and the plaintiffs are seeking a class-action status for the case, alleging that Citigroup did not make sufficient efforts to prevent fraudulent use of the stolen financial information.

“Defendants have taken no steps that adequately or effectively protect cardholders against illegal use of the cardholders’ sensitive and extensive financial records since the breach,” the plaintiffs state in the court filing.

The suit alleges that Citigroup was more concerned with cost overruns than with providing customers with adequate data security protocols.

“Defendants were willing to accept security risks to save money for the bank while exposing the customer to huge financial risk,” the complaint continues.

Citigroup is also being knocked for failing to explain how it was determined that “more sensitive information like social security numbers, birth dates, card expiry dates and CVV card security codes were not compromised,” according to the complaint.

Officials from the banking giant estimate that $2.7 million was stolen from about 3,400 accounts in the attack.

“Customers are not liable for any fraud on the accounts and are 100 percent protected,“ bank officials said soon after the breach was made public.

Citigroup said they had detected the breach of the Citi Account Online network through routine monitoring of the systems. It appears that only credit card accounts were exposed in the breach, though some reports had suggested that some debit card information may have been involved.

Citigroup immediately reported the security incident to law enforcement and regulatory authorities, but waited about three weeks before beginning the process of notifying potentially affected customers.

The Citigroup breach is considered one of the very few successful hacks against a major banks systems, and underscores the need for continued vigilance by financial institutions and their clients where security best practices are concerned.


Possibly Related Articles:
Data Loss Legal Banking Headlines hackers Lawsuit breach Account Fraud Consumers Citigroup
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.