Citigroup Defends Delay in Hacking Disclosure

NEW YORK – Citigroup waited as long as three weeks to notify its credit card customers of a hacking attack because it was conducting an investigation and producing replacement cards, The Wall Street Journal reported Monday, citing a person familiar with the situation.

The internal investigation took 10 to 12 days and began within 24 hours of the discovery that the New York bank's systems were breached in early May, this person said. In some cases, Citigroup took action to protect accounts considered vulnerable to fraud.

Citigroup publicly disclosed the security attack June 9, saying that it affected about 200,000 customers, or one percent of the company's card users in North America. The company said it referred the matter to law enforcement authorities and planned to send replacement cards to the majority of the affected customers.

Some critics accused Citigroup officials of dragging their feet in notifying customers that some of their data was compromised. The senate banking committee was planning hearings on data security. The breach followed other attacks that have fueled concerns among financial regulators and security experts that banks and other companies are not doing enough to protect themselves and their customers.

The person familiar with Citigroup's response to the security breach said that company officials responded to discovery of the attack immediately. In late May, the company launched a week-long process for a mailing to notify the roughly 200,000 customers of the breach and provide replacement cards to most of them. Customer notification and shipment of new cards began June 3, or six days before Citigroup publicly disclosed the hack attack.

Citigroup said the hackers obtained access to data such as names, account numbers and e-mail addresses. The breach did not compromise Social Security numbers, dates of birth, card security codes or expiration dates. Bank officials said the data disclosed was not enough to perpetrate fraud.