In yet another example of corporate technical incompetence (or perhaps technical superiority on the part of the hackers), Citigroup announced today that “hackers accessed the data of over 200,000 bank card holders”. (full article)
I have a couple of questions about this process, because I don’t believe the PR spin.
How do they know?
Every time a large corporation gets compromised, they state, with certainty, that only certain portions of their data were leaked. “Birth dates, social security numbers, card expiration dates and card security codes (CVV) were not compromised.” How do they know that? They certainly didn’t know they had a gaping hole in their data center, how can they say with a straight face that only certain pieces of data were taken?
I suppose it’s possible that the “other data” was stored in some other database, in some other data center, but are we really supposed to believe that?
I’m by no means a security expert, but I used to run a small web server with a database. It was attacked. I can’t tell you with certainty whatsoever about what data was taken. At all. Neither could my hosting company. So how are these big companies so capable?
They say that only 1% of the 21 million North American customers were affected. How can they possibly be that certain if all of those records were sitting together in a database?
How did they fix it so quickly?
Another important part of the “we got hacked” PR is the reassurance that this won’t happen again. Like I said before, I’m not a security expert, but if I were a hacker, and I gained access to something as valuable as Citi’s database of credit card numbers, isn’t is also possible that I left a back door open so that I can come and go as I please in the future?
"We are contacting customers whose information was impacted. Citi has implemented enhanced procedures to prevent a recurrence of this type of event." If you had “enhanced procedures” immediately available to you to “prevent this type of event,” why weren’t they already implemented? How did you have exactly the solution to prevent this breach sitting around, but hadn’t done it yet?
Why did they wait so long to tell anyone?
Finally, when a breach is revealed, it’s always at least a month later. This one actually happened in early May. 30 days is an eternity in the personal data world. That’s an entire credit card billing cycle. It’s certainly long enough to borrow an identity and destroy someone’s credit rating.
My hope is that they took that time to determine the scope of the damage, but it’s far more likely that those 30 days were spent trying to figure out the best way to spin this. Much like the Russians were the scapegoats in the 80s, and the Middle East in the 90s, I find it interesting that all of the hackers seem to be living in China now. Google and Citi are pointing their fingers to the Far East. It’s far more likely that the hackers are routing their traffic through a compromised Chinese server, but I don’t want to take anything away from the 1,000,000,000+ people of China. Maybe they are just getting craftier.
Finally, I found the last paragraph of the article to be the most telling about this entire situation. Citi (and I’m sure many other organizations) seems to have thrown their hands up about security:
"Security breaches happen, they're going to continue to happen ... the mission of the banking industry is to keep the customer base safe and customers feeling secure about their financial transactions and payments."
The way I read that is this:
“We have no idea how to secure our data, but it doesn’t matter. Our responsibility is to make our customers feel like their data is safe, regardless of whether or not it really is.”
What do you think is the cause of all of these breaches at Sony, Google, and now Citi? How many hacks do we never hear about?