Breaking into a bank's servers and stealing personal information on its customers should be difficult. Not in Citigroup's case.
The New York Times reported Tuesday (June 14) that the massive Citigroup data breach disclosed last week was accomplished by the simplest of methods.
The attackers simply logged into Citi's consumer website for credit-card holders using legitimate accounts. Then they changed characters in their Web browsers' address fields to move around to new accounts.
So someone who logged in to look at his own account — for example, card number 1234 5678 9012 3456 — would have needed only to change that number to something else — say, 1234 5678 9012 3457 — in the address window.
When he hit "return," he'd see the details of a different account — no separate login required.
Anyone reading this story could have done that. As the Times pointed out, Citi's website was the equivalent of a mansion with the front door unlocked.
Or as Times editor David Gallagher put it in a personal Tweet, "One could argue that this barely qualifies as hacking."
Once the attackers had the method worked out, they automated the process, investigators suspect, writing a short program to cycle through possible account numbers and capture the data displayed in the browser window for each one.
An estimated 210,000 accounts belonging to North American customers were compromised. Exposed information included names, email addresses, credit-card numbers and account history.
Citigroup pointed out that no Social Security numbers or dates of birth were exposed, which would have been essential information for identity thieves. Nor were the three-digit credit-card security codes, nor the card expiration dates, which would have made the card numbers much more valuable.
Both the Times and the Wall Street Journal revealed that Citigroup detected the attacks in early May but waited three weeks to gather information and notify the affected customers.