The hack affected a "limited number," roughly 1 percent, of Citi's North America bankcard customers, the company said in a statement. Compromised information includes name, account number, and contact information like email addresses.
"The customer's Social Security number, date of birth, card expiration date, and card security code (CVV) were not compromised," Citi said.
This apparently is a standalone hack. Troy Gill, security analyst at AppRiver, told me:
While it is unclear how Citigroup's network was compromised, we are fairly certain that it is unrelated to the most recent Sony, PBS, and Infragard attacks. Those attacks were performed by a group of individuals who typically communicate their undertakings in a prompt manner, and no ownership of the Citigroup attack has been communicated at this time. But one thing remains certain, information security must be taken seriously as today's IT threats are ever-evolving. That's why companies should allocate appropriate resources towards thwarting off innovative attack vectors so that breaches of this magnitude have less likelihood of occurring in the future.
One thing appears to be certain: The increase of these high-profile breaches will strain already tight security budgets. An article in The Economic Times pointed to Forrester research:
Forrester estimates that security ate up about 8 percent of North American and European corporate IT budgets in 2007, and that figure grew to 14 percent in 2010. With companies now anxious not to be the ones hacked next time, that figure looks sure to go up.
As Mark Hatton, president and CEO of Core Security, commented:
As we learn more about the Citigroup attack, we will understand better what happened and how it could have been prevented. In the meantime, given the frequency of recent attacks, more and more companies must get proactive about testing security posture. These attacks are happening because companies are not ‘thinking like hackers do,' and they are being too passive. Citigroup global enterprise payments head Paul Galant, who previously ran the bank's credit card unit, told Reuters in April that security breaches are a fact of life for financial institutions. Recent news supports this claim. Deploying defensive technologies and hoping they keep the bad guys out is clearly not working. The best way for companies to get ahead of the increasingly aggressive threat landscape is to get proactive and find the holes in their security defenses before the bad guys do.