Attorney General Peter F. Kilmartin today warned consumers that Citibank was victim of a security breach in which the company has confirmed that customer name, account and contact information – including email - was compromised.
A hacking attack of around 210,000 customers in Citibank accounts happened in May, but the company only made it public Wednesday in response to media queries. The company discovered the breach early last month through routine monitoring, finding that hackers had gained access to Citi's Account Online service and impacted more than 200,000 Citibank customers in North America.
According to Citibank, Social Security numbers, birth dates, card expiration dates and the three-digit code remain safe. While this means that the hackers cannot access customer funds, the contact information is enough for scammers to try to elicit more information through targeted attacks, conducting effective phishing expeditions. Using the email addresses, hackers could send phishing messages asking for sensitive information that could lead to identity theft and fraud. Customers can also be tricked through phone calls by callers pretending to be a legitimate financial institution's representative.
The Attorney General sent a letter to Citibank informing the company of the state’s Identity Theft Protection Law, which requires the company to notify customers whose information or identities may be compromised by a security breach. In addition, he requested Citibank to provide the Office of Attorney General with how the company plans to notify impacted Rhode Island customers, the extent of the impact, and procedures the company is taking to prevent a reoccurrence of the breach.
Attorney General Kilmartin reminds consumers to be cautious of emails that look to be a legitimate e-mail from Citibank or phone calls from individuals claiming they are representatives of the company.
Consumers should follow these tips to prevent phishing schemes:
- Do not follow a link to a secure site from an email; always enter the URL manually.
- Do not enter your bank account number, social security number, credit card number or any other personal information in a web page that you were linked to through an email or text message.
- A legitimate financial institution or entity will not ask you to provide personal identifying information in an email or ask you to verify personal identifying information in an email.
- If you are worried about your account, do not respond to the email, text, or automated call. Instead, call your financial institution or entity directly from the phone number you have from your personal records, bank statement, phone book or Internet search.
- Use a phishing filter.
- Use anti-virus and anti-spyware software; use a firewall and update them regularly.
- Review credit card and bank account statements as soon as you receive them.
- If you suspect that your password on a website has been compromised, call the company immediately to change your password.
If you believe you are a victim of consumer fraud, please contact the Consumer Protection Unit at the Department of Rhode Island Attorney General at (401) 274-4400. You can download a consumer complaint form by visiting our website at www.riag.ri.gov. You can also email us at firstname.lastname@example.org.