Saturday, December 03, 2011

New York - About 200,000 Citibank credit card customers in North America have had their names, account numbers and email addresses stolen by hackers who broke into Citi ‘s online account site.

Citigroup Inc. said it discovered that account information for about 1 percent of its credit card customers had been viewed by hackers. Citi has more than 21 million credit card customers in North America, according to its 2010 annual report. The New York-based bank, which discovered the problem during routine monitoring, didn’t say exactly how many accounts were breached. Citi said it was contacting those customers.

The bank said hackers weren’t able to gain access to social security numbers, birth dates, card expiration dates or card security codes. That kind of information often leads to identity theft, where cyber criminals empty out bank accounts and apply for multiple credit cards. That can debilitate the finances and credit of victims. Citi customers could still be vulnerable other problems. Details about their bank accounts and financial information linked to them could be acquired using the email information and account numbers hackers stole.

Federal regulators have taken notice and are asking banks to improve security.

“Both banks and regulators must remain vigilant,” said Sheila Bair, chair of the Federal Deposit Insurance Corporation. She said federal agencies, including the FDIC, are developing new rules to push banks to enhance online account access.


The Citi data breach was the latest in a series of recent high-profile data attacks against a number of major firms.

—On June 1, Google Inc. said that the personal Gmail accounts of several hundred people, including senior U.S. government officials, military personnel and political activists, had been breached.

—On May 30, broadcaster PBS confirmed that hackers cracked the network’s website and posted a phony story claiming dead rapper Tupac Shakur was alive in New Zealand.

—On May 28, defense contractor Lockheed Martin Corp. said it had detected a “significant and tenacious attack” against its computer networks. The company said it took swift and deliberate actions to protect the network and the systems remain secure.

—In April, media and electronics company Sony Corp.‘s PlayStation Network was shut down in April after a massive security breach that affected more than 100 million online accounts.

—Also in April, hackers penetrated a network operated by a data marketing firm Epsilon. The company handles email communications for companies like Best Buy Co. and Target Corp.

The number of data breaches in the last two months sets a “high water mark,” said John Ottman, CEO of Application Security Inc., a New York-based firm that specializes in securing databases, the big repositories companies use to organize account information and other data.

“Attackers have realized that most organizations have not properly protected databases,” Ottman said.

Cyber attackers have a variety of less-dangerous motivations, from mischief to online activism. For example, a group identifying itself as LulzSec claimed credit for the fake PBS article calling it retaliation for a documentary about WikiLeaks, the website that publishes classified documents.

But often such data breaches are an attempt to steal personal data, which is likely the case with Citi. Hackers also will pose as legitimate companies in a tactic known as “phishing,” where they try to get users to supply additional information like social security numbers and email or bank passwords to get access to their financial information.

The fact that the Citi hackers only got a few pieces of personal data on customers may limit what crooks can do with the information, said Susan Grant, director of consumer protection at Consumer Federation of America, a consumer advocacy group.

“But any ID theft is worrisome for consumers,” Grant said. She believes companies are responsible for protecting their customers’ information from internal and external abuse.

In an emailed statement, Sean Kevelighan, a spokesman for Citi said the bank is contacting affected customers and enhancing procedures to prevent a similar security breach from happening again.

“For the security of these customers, we are not disclosing further details,” he said.

Hackers breached two computer stations owned by Vacationland Vendors of Wisconsin Dells, placing about 40,000 credit or debit card users at risk of theft.

The computers were at the Wilderness Resorts in Lake Delton and Sevierville, Tenn, where Vacationland Vendors operates the arcades. The company owns and operates 11 arcades and has been in operation 30 years. Vacationland Vendors is one of the Gussel family's businesses, which also include Holiday Wholesale as well as convenience stores and Dunkin Donut franchises.

A notice on the Vacationland Vendors web site says, "Based upon its investigation to date, Vacationland Vendors reasonably believes that a computer hacker improperly acquired credit card and debit information. This incident did not involve an internal security issue within the Wilderness Resort. Vacationland Vendors has learned that other businesses just like its own have been affected by this computer hacker."

Evan N. Zeppos, of the public relations firm, Zeppos & Associates, which is handling publicity about the breach, said the company was alerted to the breach by calls from one or two customers. The breach occurred on March 22.

No other computer systems in the Vacationland Vendors system with credit card information have been breached by hackers, Zeppos said.

Zeppos said when Vacationland learned of the breach, it called in forensic experts to look at the rdata in the system.

"Once we became aware of the breach, we immediately shut down the credit card system and took it offline April 1," Zeppos said.

Since then, the company has upgraded its security on the computer system. "We . . . believe we now have the highest level of security."

Although 40,000 credit or debit card users data was stored, Zeppos said it is believed that fewer than 20 individuals were impacted.

He suggested that anyone who used who used credit or debit cards at one of the affected arcades from Dec. 12, 2008 to May 25, 2011 should check their credit card statements for any unusual activity. Paying close attention to credit and debit card statements is a good thing to do. Saying he does not want to make excuses for the company, he encouraged customers to be diligent and vigilant for illegal use of their cards.

Heidi Fendos, of Fendos Public Relations, which handles public relations for the Wilderness resorts, said customers who used credit or debit cards at the resorts are being asked to carefully check their credit card statements.

"When they made our resort aware of the breach to one of their credit card stations in our Wild West Mega Arcade, we had them immediately cease all credit card activity in their leased area," Fendos said.

"Our resort wants to make it clear that the Wilderness Resort's credit card system was never compromised at any time during this situation with Vacationland Vendors' credit card station," Fendos said.

Vacationland Vendors continues to lease and operate the arcades at Wilderness, but the area is cash-only now. Credit cards are no longer accepted.

Zeppos said Vacationland is trying for broad dissemination of the information about the threat and has information on its web site, about what to do. The site says to do the following:

■ Watch for any unusual activity on your bank statements, credit card account or suspicious items on your bills.

■ Contact any of your credit card issuers, banks or credit unions, and inform them of this incident.

■ Place a fraud alert on your consumer credit file. A fraud alert instructs creditor to watch for unusual or suspicious activity in your accounts, and provides creditors with notice to contact you separately before approving an extension of credit. To place a fraud alert, free of charge, contact one of the three national credit reporting agencies listed below. You do not need to contact all three; rather, the agency that you contact will forward the fraud alert to the other two agencies on your behalf

The remaining individual is known only by an alias and authorities do not know where that person is.

Under the indictments, three Miami, Florida, men -- Albert "Segvec" Gonzalez, Christopher Scott and Damon Patrick Toey -- are accused of hacking into the wireless computer networks of retailers including TJX Companies, whose stores include Marshall's and T.J. Maxx, BJ's Wholesale Club, OfficeMax, Barnes and Noble and Sports Authority, among others.

The three men installed "sniffer" programs designed to capture credit card numbers, passwords and account information as they moved through the retailers' card processing networks, said Michael Sullivan, the U.S. attorney in Boston.

"This has other personal numbers that could give them access to credit or debit cards that have already been issued and are active," Sullivan told CNN. Have you been a victim of identity theft?

The probe began in late 2006, Sullivan said. In addition to the Justice Department, the Secret Service has been conducting an undercover investigation for more than three years through the U.S. attorney's office in San Diego, he said.

The three then concealed the data in encrypted computer servers they controlled in the United States and eastern Europe, the Justice Department said.

Some credit and debit card numbers were sold on the Internet, and were "cashed out" by encoding the numbers on the magnetic strips of blank cards. "The defendants then used these cards to withdraw tens of thousands of dollars at a time from ATMs," authorities said.

Gonzalez and the others used anonymous Internet-based currencies to conceal and launder their proceeds, as well as channeling funds through bank accounts in Eastern Europe, the department said.

"There are ties between all three districts and ties internationally that go all the way to the Ukraine and Latvia," Sullivan said. "The 41 million credit and debit numbers were used internationally."