Bloomberg Anywhere Login

Bloomberg

Connecting decision makers to a dynamic network of information, people and ideas, Bloomberg quickly and accurately delivers business and financial information, news and insight around the world.

Company

Financial Products

Enterprise Products

Media

Customer Support

  • Americas

    +1 212 318 2000

  • Europe, Middle East, & Africa

    +44 20 7330 7500

  • Asia Pacific

    +65 6212 1000

Communications

Industry Products

Media Services

Follow Us

Citigroup Sued by Cardholders Over May Security Breach

Oct. 7 (Bloomberg) -- Citigroup Inc., the third-largest U.S. bank, was sued by cardholders over a May computer security breach that affected more than 360,000 accounts.

Kristina and Steven Orman of Northport, New York, sued Citigroup in federal court in Manhattan today, seeking to represent victims of the hacking in a class-action, or group, lawsuit. Money was stolen from their bank account and their credit cards were illegally used by third parties following the breach, they said.

“Defendants have taken no steps that adequately or effectively protect cardholders against illegal use of the cardholders’ sensitive and extensive financial records since the breach,” the Ormans alleged in the complaint. They seek unspecified damages.

Citigroup said in June that the breach, affecting 1.5 percent of its card customers in North America, was discovered at Citi Account Online during routine monitoring. Customers’ names, account numbers and e-mail addresses were viewed, Citigroup said.

Sean Kevelighan, a spokesman for New York-based Citigroup, said bank officials haven’t seen the lawsuit and couldn’t comment on it.

‘Brute Force’

A weakness in Citigroup’s online security allowed hackers to use a “brute force data intrusion” to access thousands of cardholders’ accounts, the Ormans said. While Citigroup said the breach occurred and was “immediately rectified” by May 24, it didn’t notify customers until June 3, the Ormans said.

Citigroup also failed to disclose how it concluded that “more sensitive information like social security numbers, birth dates, card expiry dates and CVV card security codes were not compromised,” according to the complaint.

“Defendants were willing to accept security risks to save money for the bank while exposing the customer to huge financial risk,” the Ormans said.

The case is Orman v. Citigroup Inc., 11-cv-7086, U.S. District Court, Southern District of New York (Manhattan).

To contact the reporter on this story: Patricia Hurtado in New York at pathurtado@bloomberg.net.

To contact the editor responsible for this story: Michael Hytha at mhytha@bloomberg.net.

Please upgrade your Browser

Your browser is out-of-date. Please download one of these excellent browsers:

Chrome, Firefox, Safari, Opera or Internet Explorer.