June 09, 2011, 12:02 PM — It's not exactly a positive sign that Citigroup announced its security had been breached and someone got access to records on thousands of credit-card customers.
The security involved was tight enough that hackers didn't get everything they wanted, the number of customers affected is in the hundreds of thousands, not millions, and Citi's example may push through serious reform in requirements for security that could stop what has become a tiresomely long list of enormous data breaches. (Sony announced another breach, btw, with the loss of 375,000 customer records; writing about the Sony Customer Data Distribution Channel has become too repetitive, however, so I'll ignore most of them unless Sony does something drastic, like fix its security.)
About 1 percent of Citi bank card holders were exposed, according to Citigroup's announcement, though 1 percent for Citi still means something like 200,000 customers, of Citi's 21 million customers according to Financial Times (registration required).
Hackers got customer names, account numbers, addresses email addresses and a few other demographic fields.
They didn't get Social Security numbers, card expiration dates or the little security code on the back of the card, because those were stored in a separate location.
Splitting a single customer record into two segments to be stored separately is a good way to add security, especially if it would take data from each data set to complete a transaction, which appears to be the case here.
By contrast the 18 Sony sites that were hit succumbed to similar SQL injection attacks and stored usernames and passwords not only in the same location, but unencrypted and easily available enough to enrage hacker-activist group LulzSec.
CitiGroup isn't admitting any details, only that it is addressing the situation.