Connecticut Attorney General George Jepsen wants more information from Citigroup because he says the company’s disclosures about a recent data breach fail to explain how it occurred and what is being done to protect affected customers from potential financial fraud.
“As one of the largest lending institutions in the country, Citigroup must assiduously protect the personal information it collects from its customers and employ the highest levels of data security. I expect Citigroup to fully compensate and protect any Connecticut consumers harmed as a result of this breach,” Jepsen wrote in a letter Monday to the corporation’s chief executive officer and general counsel.
Citigroup said last week that account information – name, account number and contact information, including e-mail address -- of approximately 1 percent of its Citi North America bankcard customers was viewed as a result of “unauthorized access” to Citi’s Account Online.
It turns out, however, that the attack occurred nearly a month before the bank got around to telling anyone about it.
“Unfortunately, critical facts about the intrusion remain unclear, including details concerning the number and characteristics of impacted accounts, the cause of the breach, the steps taken to notify and protect the affected individuals, and the nature of any procedures adopted to prevent future data breaches,” Jepsen said.
Citi says it took all appropriate measures.
“Citi immediately rectified the data breach upon discovery, while also placing internal fraud alerts and monitoring on all accounts at risk,” a spokesman said. “Simultaneously, we began analysis to determine the precise accounts and type of information accessed, which resulted in roughly 1 percent of North America Citi-branded credit cards. Within three weeks -- June 3 precisely -- we began sending notification letters to clients, the majority of which included re-issued credit cards.”