Citigroup Took Three Weeks to Notify Customers of Breach
“Citi immediately rectified the data breach upon discovery, while also placing internal fraud alerts and monitoring on all accounts at risk,” Sean Kevelighan, a spokesman for Citigroup, said today in an e-mailed statement. “Simultaneously, we began analysis to determine the precise accounts and type of information accessed, which resulted in roughly 1 percent of North America Citi-branded credit cards. Within three weeks -- June 3 precisely -- we began sending notification letters to clients, the majority of which included re-issued credit cards.”
Online intruders accessed customer names, account numbers and contact information, the New York-based company said in an e-mailed statement last week. Social Security numbers, dates of birth and bank-card security codes weren’t breached, the bank said last week.
Citigroup had 21.1 million credit-card accounts at the end of the first quarter. Chief Executive Officer Vikram Pandit, 54, shuffled the business in September, replacing unit head Paul Galant with Judson Linville, a former American Express Co. (AXP) executive. The division said first-quarter profit from continuing operations more than tripled to $460 million from the same period a year earlier.
The Wall Street Journal reported the delay in alerting customers earlier today, saying the bank’s internal investigation took 10 to 12 days after beginning within 24 hours of the discovery. The Journal cited an unnamed person familiar with the situation.
To contact the editor responsible for this story: David Scheer at email@example.com