Last month’s hacking into Citibank’s database — which compromised more than 200,000 credit card accounts — highlights the risks in sharing private information on social networking sites and signals the need for stronger regulatory measures, according to Wharton faculty. In early June, Citibank confirmed that hackers had breached its security systems and viewed customers’ information (such as names, account numbers and contact information, including e-mail addresses), but not the crucial three-digit security code on the back of credit cards. The breach affected about 1% of Citibank’s 21 million credit card accounts in North America.
“As individuals, we have casual disregard for our own security,” says Eric Clemons, Wharton professor of operations and information management. “The hacking is bad. When you combine hacking with the amount of information available in Facebook or Google, the hacking becomes much more dangerous. And yet we take very few actions to protect what we share with Facebook or Google.”
Clemons argues that there is a need for stronger mechanisms to minimize the damage after a security breach. He wants banks and financial institutions to be required by law in all jurisdictions to notify cardholders immediately, to cancel affected cards and to indemnify cardholders from direct losses caused at their institutions and indirect losses elsewhere. “It goes beyond the rules,” he says. He faults Citibank for waiting nearly a month before notifying anybody. The bank discovered the security breach in early May, but informed cardholders on June 10. Citibank explained that the problem had been “rectified immediately” and that it was conducting internal investigations. “If the bank was liable for any identity theft enabled by the bank’s break-in, it would have taken much more dramatic action and much sooner,” Clemons adds.
There is no such thing as a secure system, but the investigations should focus on whether “careless errors” facilitated the Citibank break-in, according to Andrea Matwyshyn, Wharton professor of legal studies and business ethics. Banks, financial markets and government agencies are particularly attractive targets, because their databases are “goldmines of useful information,” she says. Yet, she finds “tardiness” among some of those entities in implementing “the highest caliber” of security practices. “Hackers are aware of this dynamic, and regulators and other companies don’t have the same level of information talent.” Even Google, Microsoft and other firms that take advanced security measures are not immune from hackers compromising their systems, she notes.
Citibank is reticent on the subject, but a recent New York Times story says the hackers used the Citigroup customer web site to bypass traditional safeguards and impersonate actual credit card holders. “Once inside, they leapfrogged between the accounts of different Citi customers by inserting various account numbers into a string of text located in the browser’s address bar. The hackers’ code systems automatically repeated this exercise tens of thousands of times — allowing them to capture the confidential private data,” the Times story notes.
Online “bazaars” are flourishing for stolen private data, and sale prices for the basic information on a credit card could rise from a few pennies each to a few dollars in the foreseeable future, the newspaper says, quoting security experts. In 2008, the underground market for such data was flooded with more than 360 million stolen personal records, most of them credit and debit files, according to a report by Verizon and the Secret Service, the Times adds. Many previous breaches have been traced to organized and well-funded hackers in Russia, Bosnia-Herzegovina and elsewhere in Eastern Europe.
Hackers these days have diversified their targets to include stock exchanges (Nasdaq and the London Stock Exchange) and even the White House. The recent hacking into the Gmail accounts of White House administration officials is “much, much worse” than the Citibank break-in, according to Clemons. “If somebody on Hillary Clinton’s staff says it is surprisingly cold in Pakistan this month, hackers know far more about the location of the American secretary of state than we want them to know.” Google last month traced those hackers to Jinan city in China’s Shangdong province. China denied that it was a state-sponsored attack, rejecting widespread rumors to that effect.