* FDIC's Bair calls on banks to improve data security
* FDIC developing guidance on online data authentication
* Citi says 1 pct of card customers affected by breach
* Citi plans to replace 'majority' of 200,000 cards
(Refiles to add end quote mark and FDIC explanation)
By Maria Aspan
NEW YORK, June 9 Major U.S. banks came under
growing pressure from banking regulators to improve the security
of customer accounts after Citigroup Inc (C.N) became the latest
high-profile victim of a cyber attack.
While Citigroup insisted the breach had been limited,
experts called it the largest direct attack on a major U.S.
financial institution, and said it could prompt an overhaul of
the banking industry's data security measures.
The Federal Deposit Insurance Corp, a primary U.S. bank
regulator, is preparing new measures on data security. Its
chairman Sheila Bair said on Thursday she may ask "some banks to
strengthen their authentication when a customer logs onto online
Citigroup said late on Wednesday that computer hackers
breached the bank's network and accessed the data of about
200,000 credit-card holders in North America. It would not
discuss what new security measures Citi is taking.
The third-largest U.S. bank waited more than a month before
making the full extent of the breach public, drawing criticism
on Thursday from lawmakers and lawyers.
Citigroup is the latest in a growing list of companies that
have suffered cyber attacks, including Sony (8729.T), Google Inc
(GOOG.O) and Lockheed Martin (LMT.N). The bank also has faced
problems with customer security before. In April, a massive data
breach at the email marketer Epsilon exposed the names and email
addresses of customers at many large U.S. companies and banks,
including Citigroup. And a 2008 attack on a Citigroup computer
server let hackers withdraw at least $750,000 from the bank's
cash machines in New York City.
Security experts said the latest attack may be a watershed
moment for the U.S. banking industry, which until now has
suffered fewer direct hacker attacks than retailers.
"We're getting to the tipping point in terms of the number
of fraud cases," said Gartner Research security analyst Avivah
As regulators weigh whether to require more spending on
security, "this could be the straw that breaks the camel's
back," she said.
Stories on hacked companies [ID:nL3E7H90JQ]
Sony attacked [ID:nN0288458]
U.S. firm EMC seeks to reassure [ID:nN06115644]
Google sees China link in hack attack [ID:nN08269664]
Class action settlements for privacy breaches
Citigroup spokesman Sean Kevelighan said on Thursday that
the bank would replace "the majority" of the credit cards
affected by the data breach. The bank said its attackers viewed
the names of customers, account numbers and contact
information, including e-mail addresses.
Citigroup said other information such as birth dates,
social security numbers, card expiration dates and card
security codes (CVV) were not compromised.
Debit cards were not affected, Kevelighan said on
The Financial Times reported on Wednesday that the bank
discovered the breach in early May.
Kevelighan on Thursday told Reuters that once the bank
became aware of the attack, "we immediately took steps to
monitor the impacted customers accounts." But he would not
further explain the bank's decision to delay making the breach
public, citing security reasons.
Like Sony, which has declared several security breaches of
its networks this year, Citi has already started to come under
fire for not telling customers sooner.
U.S. Representative Mary Bono Mack is preparing legislation
to ensure faster notification to customers, her spokesman told
U.S. Representative Jim Langevin, who follows cyber issues
closely, said that data breaches were a fact of life but that
companies had to inform customers.
"I was shocked by the report that Citigroup knew that their
customers' data was potentially exposed back in early May, but
is only now, a full month later, informing the public about
this threat to their personal information," he said in a
Ira Rothken, a San Francisco-based attorney who represents
plaintiffs in hacking cases, said his firm is investigating
whether the information compromised in the Citi breach has led
to any secondary intrusions against impacted customers.
"If a bank can't keep data secure, it's going to have a
chilling effect not only on the banking industry, but on
ecommerce," Rothken said.
Cyber attacks at banks could dampen customers' enthusiasm
to pay for things online or with their phones. Many banks,
including Citigroup, are trying to develop ecommerce and mobile
payments projects in the hopes of generating more revenue from
Other large U.S. banks have a better record of informing
and helping customers whose data has been compromised,
according to the payments consulting firm Javelin Strategy and
Research. Bank of America Corp (BAC.N), Discover Financial
Services (DFS.N) and US Bancorp (USB.N) all scored higher than
Citigroup a year ago when Javelin assessed how well the top
U.S. lenders dealt with potential data compromises affecting
Banks' "strong preference is to handle things themselves
and not get the customer involved until the bank believes that
they've handled all the important parts" of the investigation,"
Javelin founder James Van Dyke said.
"I don't think that makes sense" when dealing with
potential identity fraud, he said.
Kevelighan would not discuss how Citigroup's breach had
occurred. Another Citi spokesman, James Griffiths in Hong Kong,
said the breach had affected 1 percent of North American card
customers, which the bank's annual report says total 21 million.
Banks can be particularly attractive targets for cyber
criminals, Bair said on Thursday. "It's kind of a constant.
It's one of the many risks that you have to deal with."
Federal banking regulators last updated their guidance on
Internet banking security standards in 2005.
The regulators proposed an update to those standards in
December 2010, saying they were "increasingly concerned that
customer authentication methods implemented several years ago
may no longer be effective ... (and) have also become aware
that some institutions have failed to perform periodic risk
assessments and update their control mechanisms
Such updated standards would likely have more of an impact
on small banks than on big financial companies, which already
spend heavily on data security protection, said Aite Group
analyst Julie Conroy McNelley.
But updated federal guidance for banks is "something that
is long overdue," she said.
(Reporting by Maria Aspan; additional reporting by Ross Kerber
in Boston, Diane Bartz in Washington and Dan Levine in San
Francisco; editing by John Wallace, Gunna Dickson and Stella