Last week, Citigroup announced that around 200,000 credit card accounts had been compromised by hackers, but a new report from the Wall Street Journal says the bank knew something was wrong weeks earlier.
According to the Journal’s source, Citi discovered the breach, which revealed names, account numbers and e-mail addresses, in early May and then immediately launched an investigation that lasted 10 to 12 days.
From the WSJ:
In late May, the company launched a week-long process for a mailing to notify the roughly 200,000 customers of the breach and provide replacement cards to most of them. Customer notification and shipment of new cards began June 3, or six days before Citigroup publicly disclosed the hack attack.
Additionally, before making any notifications, the bank sent out an internal fraud alert on at-risk customers.
While some security experts say Citi did the right thing by not going public until it had a grip on the situation, others tell the Journal that the bank should not have delayed the news.
“Every minute that passes after a hacker gains access to customers’ confidential information means a greater risk of both monetary and identity theft,” one expert tells the paper.
What do you think? How early in its investigation should a bank go public about a privacy breach?
Citi Defends Delay in Disclosing Hacking [WSJ.com]