Citibank has agreed to pay $55,000 to settle a complaint by the Connecticut attorney general that the bank was aware of a security flaw in its online banking service that resulted in hackers obtaining payment card data and stealing about $2.7 million.
In the Aug. 29 complaint, Attorney General George Jepsen alleged that Citi knew about the security flaw and suggests it may have existed for three years prior to the May 2011 breach, which affected 360,000 Citi North American credit card customers.
Under the terms of the agreement, Citi will pay $15,000 in civil penalties to the states Privacy Protection Guaranty and Enforcement account, and $40,000 to the states general fund through the Connecticut Unfair Trade Practices Act. The settlement must be approved by the Hartford District Court to be finalized.
The settlement document stipulates that by complying with the judgment, Citi is not admitting any violation of laws or statutes, or failure to comply with any federal or state information security or breach notification law or requirement.
Rather, the settlement calls for Citi in the future to notify Connecticut residents of any security incident involving its online banking services, as well as follow state statutes in notifying the attorney generals office.
The court also acknowledged that Citi reasonably and in good faith believes the individuals whose card accounts were hacked are not in danger of identity theft because hackers obtained only the accountholders name and card payment numbers.
The hackers obtained the data because of vulnerability in Citi's Web-based service called Account Online. The hackers reportedly logged into the system with an account number and password and changed a few characters in the URL to access additional accounts.
The bank also agreed to hire a third party to carry out a security audit of Account Online and will offer two years of free credit monitoring for any affected customers from the state.
The bank has 15 days after the Hartford District Court approves the settlement to pay the agreed-upon amounts. The court is expected to approve the documents on Sept. 10.
Citi did not respond to inquiries about the expected settlement.
Earlier this year, a Citigroup-sponsored bike rental program in New York disclosed a card payment data breach that affected more than 1,000 Citi Bike account holders.