Citigroup admitted on Wednesday that an attack on its website allowed hackers to view customers' names, account numbers and contact information such as e-mail addresses for about 210,000 of its cardholders in North America.
Citigroup did not say how the website, Citi Account Online -- which is used by its customers to manage their cards -- was compromised but that the discovery came through its "routine monitoring." The bank discovered the breach, which was first reported in Thursday's Financial Times, early last month.
Other customer information, such as Social Security numbers, birthdates, card expiration dates and the three-digit code on the back of the card, were not exposed, the company said.
"Citi has implemented enhanced procedures to prevent a recurrence of this type of event," said Sean Kevelighan, head of communications and public affairs for Citigroup's North America Consumer Banking division in a statement. "For the security of these customers, we are not disclosing further details."
The affected customers are being contacted by Citigroup. However, the Citi Account Online website did not have a notification of the breach on its front page on early Thursday morning.
The Financial Times reported that several card customers only found out about the issue last weekend when transactions using their card were denied, raising questions about Citigroup's notification procedures.
Although hackers may have not gained complete information on cardholders, the contact information is enough for scammers to try and elicit more information through targeted attacks.
The e-mail addresses, for example, could be used to send "phishing" messages asking for other sensitive information which could potentially give identity thieves enough to start committing fraud.
Phishing can also be done over the phone, with the caller impersonating someone in authority and tricking a victim into thinking they're talking to a legitimate financial institution's representative.
Sign up for Computerworld eNewsletters.