BreachExchange mailing list archives

Previous By Date Next
Previous By Thread Next

Re: [Update]: Citi Hackers Made $2.7 Million

From: Jeffrey Walton <noloader () gmail com>
Date: Sat, 25 Jun 2011 15:27:32 -0400
On Sat, Jun 25, 2011 at 3:05 PM, Jeffrey Walton <noloader () gmail com> wrote:

http://www.pcworld.com/businesscenter/article/231182/citi_hackers_made_27_million.html

Citigroup suffered about US$2.7 million in losses after hackers found
a way to steal credit card numbers from its website and post
fraudulent charges.

Citi acknowledged the breach earlier this month, saying hackers had
accessed more than 360,000 Citi credit card accounts of U.S.
customers. The hackers didn't get into Citi's main credit card
processing system, but were reportedly able to obtain the numbers,
along with the customers' names and contact information, by logging
into the Citi Account Online website and guessing account numbers.


Hmmm..... 2.7 million stolen because the hackers were able to guess
account numbers. The terms "application security" and "egregious
security related defect in the system" come to mind. I think the legal
term is "grossly negligent".

I think this is the score card to date:
* Hackers abscond with $2.7 million
* Citigroup passes loss onto share holders (risk is democratized)
* Citigroup rewards its executives for a job well done via bonuses
(reward is privatized)
* Citigroup directs affected individuals to FTC for Identity Theft Awareness
* Citigroup advises affected individuals to monitor their credit well-being

So, the hackers have won, the Citigroup executives have won, the share
holders have lost, and the affected individuals have lost. This really
begs two questions: why are share holders and individuals bearing the
burden on Citigroup's incompetence?
_______________________________________________
Dataloss-discuss Mailing List (dataloss-discuss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://datalossdb.org/mailing_list

Learn encryption strategies that manage risk and shore up compliance.
Download Article 1 of CREDANT Technologies' The Essentials Series:
Endpoint Data Encryption That Actually Works
http://credant.com/campaigns/realtime2/gap-LP1/
Previous By Date Next
Previous By Thread Next

Current thread: