Citi Drags Feet on Data Breach. Send in the Regulators!
After its network and servers were hacked, Citigroup reportedly took up to three weeks to tell affected customers. This particular breach affected a reported 200,000 people, and anecdotal evidence suggests that many, if not all, never had a clue until they received their new credit cards.
That's a lot of people, and you can understand why a company would want to know what happened so it could process the necessary account changes, issue replacement cards, and inform the customers actually affected. However, target corporations like Citi move way too slowly, given the speed at which attackers can compromise identities. It's past time for corporations to find a faster way to notify their customers. If they can't do it voluntarily, regulation should compel them.
Granted, trying to unwind the aftermath of a data crack isn't easy. It's not as though those who broke in leave memos detailing what they obtained and released. Technical investigators must sift through reams of systems information for clues.
No time for details
But the corporations don't have time for surety. The widespread availability of data after cyber break-ins is astounding. Confidential sources in the hacker community have demonstrated to me that data in high profile exploits is often freely available. The information can include names, email addresses, passwords, credit card numbers, and much more and can be making wide rounds within days, at most. Hours would be more likely.
Files of tens of thousands and even hundreds of thousands get shared. Then it's only a matter of time before someone decides to make use of the data. Poof: there goes someone's identity.
Corporations, of course, don't want to alarm people unnecessarily -- much less look bad themselves. But freezing internal accounts and eventually sending notifications to consumers is far from sufficient. The highly sensitive data in play can result in all manner of identity fraud, which often takes years to unwind and cure. There may be only a matter of hours before someone becomes a victim, and by then, the comfort of corporate executives is cold, indeed.
Companies should immediately inform consumers and give them the option of doing what makes them feel comfortable, whether that is asking for a new credit card, changing whatever passwords they commonly use, or putting a freeze on their credit profiles.
If the corporations aren't willing to do this voluntarily, then governments should take action. Otherwise, the companies that don't lock down security not only potentially injure many consumers, but they have a bad name to entire industries.
Related:
- Facebook's 5 Step Plan to Ignore Privacy and Collect More Personal Data
- How Quickly Can You Hack the PlayStation Network Again? Try 2 Days
- Here's Yet Another Headache for Cloud-Computing Providers: Liability
- New Privacy Laws in India and China Could Make IT Outsourcing Ugly
- Cloud Computing: Can't Anyone Play This Game?
Erik Sherman is a widely published writer and editor who also does select ghosting and corporate work. The views expressed in this column belong to Sherman and do not represent the views of CBS Interactive. Follow him on Twitter at @ErikSherman or on Facebook.
Twitter FacebookDisclaimer: The copyright of this article belongs to the original author. Reposting this article is solely for the purpose of information dissemination and does not constitute any investment advice. If there is any infringement, please contact us immediately. We will make corrections or deletions as necessary. Thank you.
