Citigroup Inc. (C), the third-largest U.S. bank, was sued by cardholders over a May computer security breach that affected more than 360,000 accounts.
Kristina and Steven Orman of Northport, New York, sued Citigroup in federal court in Manhattan today, seeking to represent victims of the hacking in a class-action, or group, lawsuit. Money was stolen from their bank account and their credit cards were illegally used by third parties following the breach, they said.
“Defendants have taken no steps that adequately or effectively protect cardholders against illegal use of the cardholders’ sensitive and extensive financial records since the breach,” the Ormans alleged in the complaint. They seek unspecified damages.
Citigroup said in June that the breach, affecting 1.5 percent of its card customers in North America, was discovered at Citi Account Online during routine monitoring. Customers’ names, account numbers and e-mail addresses were viewed, Citigroup said.
Sean Kevelighan, a spokesman for New York-based Citigroup, said bank officials haven’t seen the lawsuit and couldn’t comment on it.
A weakness in Citigroup’s online security allowed hackers to use a “brute force data intrusion” to access thousands of cardholders’ accounts, the Ormans said. While Citigroup said the breach occurred and was “immediately rectified” by May 24, it didn’t notify customers until June 3, the Ormans said.
Citigroup also failed to disclose how it concluded that “more sensitive information like social security numbers, birth dates, card expiry dates and CVV card security codes were not compromised,” according to the complaint.
“Defendants were willing to accept security risks to save money for the bank while exposing the customer to huge financial risk,” the Ormans said.
The case is Orman v. Citigroup Inc., 11-cv-7086, U.S. District Court, Southern District of New York (Manhattan).
To contact the reporter on this story: Patricia Hurtado in New York at email@example.com.
To contact the editor responsible for this story: Michael Hytha at firstname.lastname@example.org.