Breaking News


Citigroup Took Three Weeks to Notify Customers of Breach

Citigroup Inc. (C), the third-biggest U.S. lender, took as long as three weeks to notify customers after data for about 210,000 credit-card accounts in North America were breached.

“Citi immediately rectified the data breach upon discovery, while also placing internal fraud alerts and monitoring on all accounts at risk,” Sean Kevelighan, a spokesman for Citigroup, said today in an e-mailed statement. “Simultaneously, we began analysis to determine the precise accounts and type of information accessed, which resulted in roughly 1 percent of North America Citi-branded credit cards. Within three weeks -- June 3 precisely -- we began sending notification letters to clients, the majority of which included re-issued credit cards.”

Online intruders accessed customer names, account numbers and contact information, the New York-based company said in an e-mailed statement last week. Social Security numbers, dates of birth and bank-card security codes weren’t breached, the bank said last week.

Citigroup had 21.1 million credit-card accounts at the end of the first quarter. Chief Executive Officer Vikram Pandit, 54, shuffled the business in September, replacing unit head Paul Galant with Judson Linville, a former American Express Co. (AXP) executive. The division said first-quarter profit from continuing operations more than tripled to $460 million from the same period a year earlier.

The Wall Street Journal reported the delay in alerting customers earlier today, saying the bank’s internal investigation took 10 to 12 days after beginning within 24 hours of the discovery. The Journal cited an unnamed person familiar with the situation.

To contact the reporters on this story: Donal Griffin in New York at; Michael J. Moore in New York at

To contact the editor responsible for this story: David Scheer at

Press spacebar to pause and continue. Press esc to stop.

Bloomberg reserves the right to remove comments but is under no obligation to do so, or to explain individual moderation decisions.

Please enable JavaScript to view the comments powered by Disqus.