Citigroup data breach shows why we need fed rules to protect personal data online

Citi had good security and got hit anyway; that shows how huge the risk is from those with bad security

It's not exactly a positive sign that Citigroup announced its security had been breached and someone got access to records on thousands of credit-card customers.

The security involved was tight enough that hackers didn't get everything they wanted, the number of customers affected is in the hundreds of thousands, not millions, and Citi's example may push through serious reform in requirements for security that could stop what has become a tiresomely long list of enormous data breaches. (Sony announced another breach, btw, with the loss of 375,000 customer records; writing about the Sony Customer Data Distribution Channel has become too repetitive, however, so I'll ignore most of them unless Sony does something drastic, like fix its security.)

About 1 percent of Citi bank card holders were exposed, according to Citigroup's announcement, though 1 percent for Citi still means something like 200,000 customers, of Citi's 21 million customers according to Financial Times (registration required).

Hackers got customer names, account numbers, addresses email addresses and a few other demographic fields.

They didn't get Social Security numbers, card expiration dates or the little security code on the back of the card, because those were stored in a separate location.

Splitting a single customer record into two segments to be stored separately is a good way to add security, especially if it would take data from each data set to complete a transaction, which appears to be the case here.

By contrast the 18 Sony sites that were hit succumbed to similar SQL injection attacks and stored usernames and passwords not only in the same location, but unencrypted and easily available enough to enrage hacker-activist group LulzSec.

CitiGroup isn't admitting any details, only that it is addressing the situation.

Citi did admit the breach promptly, however, which was a problem with Sony and other companies, which delayed admitting they'd been breached often for weeks after the initial break-in.

That will become illegal if a bill proposed by Sen. Patrick Leahy (D-Vt.) becomes law.

This is the fourth year Leahy, chair of the Senate judiciary Committee, introduced the bill now called the Personal Data Privacy and Security Act of 2011.

It would require companies to report data breaches involving customers and carry criminal and financial penalties for anyone who "intentionally or willfully" hides a breach.

It parallels many of the requirements of the National Strategy for Trusted Identities in Cyberspace that the Obama administration introduced in April.

Leahy's bill is also similar to a set of security specifications and best practices the Commerce Dept. proposed should be provided as a voluntary set of guidelines to standardize minimum-level security standards.

Its report, with details on its suggestions and the scope of the threat against the $10 trillion spent online globally every year, is called Cybersecurity, Innovation and the Internet Economy (PDF).

Without endorsing any specific plan, the Business Software Alliance has backed both Leahy's bill and the Commerce Dept.'s guidelines, in separate announcements this week.

The specifics are less important than to create a single federal standard to "replace the unwieldy state patchwork we have today,” the BSA announcement read.

There's no real indication from inside the Senate of whether the bill's chances are better this year than any previous attempt, or whether either the Obama administration or the Commerce Dept.'s proposals will go anywhere.

Citigroup, Sony, bulk emailer Epsilon, Gawker Media, RSA, Google and Lockheed Martin are working as hard as they can to get it passed. Each has recently demonstrated security poor enough to allow high-profile data breaches causing the loss of hundreds of thousands or millions of customer records apiece,

Considering the flock of recent bad examples of inconsistent security, I'm beginning to think the need for some kind of single set of security requirements in unavoidable, no matter how much complaining some companies do about the burden of compliance and micro-management of their businesses.

If millions of customers trust you with data that could compromise their financial security if it were release, and you store them, unencrypted and easily accessible from the Web site delivering the service for which they paid, with few barriers to hackers, someone has to explain to you the importance of not abusing other people's trust.

If Citigroup, with well-planned security configurations and distributed customer records, can get hit for 200,000 customer records, any company can.

The irresponsible ones won't limit the damage as well as Citi did. They'll be more like Sony, whose count of lost records is above 100 million and still growing.

Neither company is small or poor enough to claim it can't afford real security.

Companies that really can't will pose even greater risks to consumers.

They shouldn't have the choice. If a bank is willing to keep my money, federal agencies impose a list of requirements for security and liquidity and fair practices and everything else.

If my personal data is worth money – and if it's not there are a lot of hacker groups out there wasting time – I should be able to count on some level of protection for it as well, without having to check every site I use to make sure what kind of password-hashing scheme they use and how good their SQL injection defense would be.

Insider: How the basic tech behind the Internet works
Join the discussion
Be the first to comment on this article. Our Commenting Policies