In my prior blog post, I opined that the Citi Bank data breach, which left over 200,000 credit card holders personal information exposed, was more about the overall culture of compliance within CitiBank than the technology employed internally by the company. As it turns out, a team of security experts has determined that CitiBank officials simply left the “front door” to the company IT infrastructure wide open, and the cyber-thieves took full advantage of that mistake.
According to Messrs. Nelson D. Schwartz and Eric Dash of The New York Times, “[i]n the Citi breach, the data thieves were able to penetrate the bank’s defenses by first logging on to the site reserved for its credit card customers. Once inside, they leapfrogged between the accounts of different Citi customers by inserting various account numbers into a string of text located in the browser’s address bar. The hackers’ code systems automatically repeated this exercise tens of thousands of times — allowing them to capture the confidential private data.”
What level of liability should CitiBank accept for this oversight? What effect will the data breach have on CitiBank’s revenue and customer trust? As embarrassing as it is to leave the keys to the prison to the prisoners, there is very little incentive for CitiBank to correct their culture of non-compliance. Undoubtedly, their response will most likely be to pay a nominal fine, offer some credit reporting for the victims, and throw their IT staff under the bus. The real response should be to address their institutional culture of non-compliance – how else can you explain the negligence of leaving the “front door” open for cyber-thieves to take customer mission-critical data?