Citigroup Inc. waited as long as three weeks to notify credit-card customers of a hacking attack because it was conducting an investigation and producing replacement cards, according to a person familiar with the situation.
The internal investigation took 10 to 12 days and began within 24 hours of the discovery by Citigroup officials in early May that the New York bank’s systems had been breached, this person said. In some cases, Citigroup took action to protect accounts considered vulnerable to fraud.
Citigroup publicly disclosed the security attack last Thursday, saying it affected about 200,000 customers, or 1% of the company’s card users in North America. The company said it had referred the matter to law-enforcement authorities and planned to send replacement cards to a majority of the affected customers. Some critics have accused Citigroup officials of dragging their feet in notifying customers that some of their data has been compromised. The Senate banking committee is planning hearings on data security. The breach follows other attacks that are fueling concerns among financial regulators and security experts that banks and other companies aren’t doing enough to protect themselves and their customers.
Source: Wall Street Journal