The Business-Technology Weave

Jun 13 2011   10:32AM GMT

Breach, Meet Citi Group

David Scott David Scott Profile: David Scott

Of all the breaches I’ve noted here, this breach is really bad.  Reason?   I’ve got a Citi card.


According to eWeek and others, approximately 200,000 card members’ accounts were accessed.  The specific information compromised were names, card numbers, and e-mail addresses – perhaps other contact info depending on what you read.


Fortunately, other critical information, such as birth dates, social security numbers, card security numbers (typically on the back of your card) and card expiration dates were not compromised, as they are stored elsewhere.


It’s heartening to know that there’s a discretionary storage of critical data:  That is, there is a separate repository for one set of data, but another repository (or repositories) for a complimentary set of data necessary for the “whole record” view of any one entity – in this case, person and associated credit data.  This separation of data, into separate “secured” (ahem) areas makes it a little more difficult, at least, to assemble the critical info necessary to make bogus charges or acquisitions of cash at the expense of card holders.


It’s disheartening to know, however, that any measure of breach occurred to any measure of system at Citigroup.  This isn’t to pick on them – for a little perspective, access the Privacy Rights Clearinghouse and their Chronology of Data Breaches.  That list isn’t even comprehensive – there are far more breaches, both reported and unreported, transpiring.


Citi is going to establish “enhanced procedures” according to Sean Kevelighan, spokesman for the North American Consumer Banking Division of Citi, in order to prevent future breaches.  Well, that’s all well and good, but I’m curious to know if these “enhanced procedures” are general industry established and known procedures – and if so, why were they not already instituted?  Also, the word “procedure” is an interesting choice.  It almost makes it sound as if internal human error compounded an insecure situation. 


And, I characterize the human failing of neglect, in keeping systems updated for latest security threats and actions, to be human error:  Whether someone is simply not approving budget for protections, or someone is lax in surveying for risk and matched solutions. 


Security solutions must be extremely aggressive.  They must constantly lead threats – by a wide margin. 


It doesn’t take much for a business to lose the faith of customers.  In fact, it can happen at just about the speed of a button push on a keyboard…


NP:  John Coltrane with the Red Garland Trio, original Prestige vinyl LP… what more needs to be said? 

 Comment on this Post

There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

Share this item with your network: