Citi Pays $55,000 For $2.7 Million 2011 Breach

Citi has paid $55,000 to settle a lawsuit by the Connecticut attorney general over a 2011 breach that exposed payment card numbers of 360,000 cardholders—only 5,066 of which were from Connecticut. The settlement, which was announced last Thursday (Aug. 29), is the first to come out of the breach more than two years ago, and could set the standard for settlements in other states. (California had more than 80,000 affected cardholders, and it helped out with the Connecticut investigation.)

At the time the breach was revealed in June 2011, media reports said thieves eventually stole $2.7 million using affected accounts. Reports also said the hackers didn't have to do anything sophisticated to get access to the card data. The thieves just logged into the Citi site reserved for credit card customers, noticed that the URL included the account number, replaced that with a different account number and got access to another customer's information without any further authentication. An automated program made it possible to collect data on hundreds of thousands of numbers. And that, unfortunately, isn't the worst of it.

According to the announcement of the Connecticut settlement, Citi has agreed to pay $55,000 to the state, and is also "required to hire an independent third party to conduct an information security audit of Account Online and report a detailed summary of its findings to the Attorney General. The company will be required to maintain reasonable security procedures and practices to protect Account Online in the future. Citibank must also provide appropriate notice and free credit monitoring for two years to any individual affected by certain future security incidents involving Account Online."

Got that? Two years after the breach, Citi's settlement requires it to hire an independent security auditor. So soon? But let's give Citi the benefit of the doubt and assume that it has hired plenty of outside security auditors over the past two years on this case. The settlement also requires Citi to maintain reasonable security procedures and practices, and to provide free credit monitoring to future victims of security breaches on its system.

It took two years of investigations and negotiations for Citi to agree to things it should be doing as a matter of normal practice? If this breach had involved a retailer, Visa would have started assessing and collecting PCI fines in six months. We can say that with confidence because that's how long it took Visa to start collecting fines from Genesco, and Citi's breach was due to a spectacularly bigger and more easily exploitable security hole than Genesco's.

And that, really, is where we get to the worst of this bad situation: We've heard nothing from Visa. Zip. Nada.

As StorefrontBacktalk PCI Columnist Walt Conway asked about the breach when it happened, "Will Citi treat itself as harshly as it does its retailer customers that are breached? I wonder (and I imagine just about every merchant or processor that paid for PCI compliance or suffered a breach is wondering, too) if Citigroup will face similar consequences."

We know now. If a retailer handling as many card accounts as Citi had as serious a security hole as Citi's for three years, Visa's PCI fine would be astronomical. There would be no way the retailer could hide it, because it would have to show up in earnings statements and SEC filings.

But so far, there have been no reports of any Visa or MasterCard fines or assessments on Citi. The card brands haven't even publicly required that Citi validate its PCI compliance—that is, to actually meet the standards that Citi wouldn't hesitate to cite in passing along a card-brand fine to any breached retailer.

At least it's nice to know that, while Visa is more forgiving to one of its favored issuers, Connecticut's AG can get worked up over theft from a mere 5,000 of his constituents. And California is next in line.