The hackers accessed customers’ names, account numbers and email addresses. They did not get to see other information especially useful for committing fraud, including Social Security numbers, dates of birth, card security codes and expiration dates, according to the bank.
The attack affected Citi’s Account Online system, but not the company’s main transaction processing network. The company assured consumers that they won’t have to pay for any fraudulent purchases resulting from the data breach.
“Our customers are not liable for any unauthorized use of their accounts,” Citi said in a press release.
The bank has been criticized by some, including Sen. Robert Menendez (D-N.J.), for taking three weeks to notify customers about the breach. In its statement, Citi said it responded as soon as the breach was detected, but that it required the analysis of “millions of pieces of data” before company researchers could figure out how much information the hackers accessed.
The attack was discovered on May 10. Citi told reporters about it on June 8, and the first notification letters were mailed to consumers on June 3. Most customers whose information was compromised received replacement credit cards.
Image: Liam Dunn, via Flickr