Citigroup Breach and RSA Breach: A Possible Connection?

Last Updated on June 9, 2011

Citigroup Center Building - New York — Image via Wikipedia

Today Citigroup revealed that the company has been victim of a breach of its online banking platform, which might have exposed sensitive data belonging to about hundreds of thousands of Citi customers.

Citigroup owns approximately 21 million card customers, which means, in turn, that data of 200.000 cardholders have been impacted.

According to Sean Kevelighan, head of communications and public affairs for Citigroup: “A limited number – roughly 1 percent – of Citi North America bankcard customers’ account information [such as name, account number and contact information, including e-mail address] was viewed, the customer’s Social Security number, date of birth, card expiration date and card security code [CVV] were not compromised. We are contacting customers whose information was impacted.”

Apparently the credit cards and Social Security Numbers are safe, but this will not prevent the Cardholders from the real risk of scams, phishing and fake phone calls from Citibank or its subsidiaries…

At first glance Citigroup is only the last breach following the notorious similar events occurred to RSA, Sony, Epsilon, so definitively nothing new under the sun of this really troubled (from an infosec perspective) 2012.

However, the more (scant so far) information I read, the stronger the suspicion became that the Citigroup and RSA breaches could somehow be linked.

Of course it is right to emphasize that what follows is a mere personal speculation (I would rather say a personal curiosity) based on the few information unleashed so far.

My concern comes from the fact that, according to the original statement, the breach was originated by an unauthorized access to the systems of Citi Account Online discovered during routine monitoring in early May. Citigroup is one of the main RSA customers, and most of all has been one of the first (together with Bank of America, JPMorgan Chase, Wells Fargo) to immediately ask to replace the tokens as soon as RSA declared the direct involvement of compromised SecurIDs in the Lockheed Martin breach (and consequently offered to replace SecurID tokens). Since I am not a Citigroup Customer, I do not know how the Citi Account Online Service works (in this moment the site is not completely visible, at least from Italy, but from what I have understood OTP is used only for transactions), so I cannot definitively trace a direct a connection between the unauthorized access and the use of compromised seeds (OK this is the weak point of my theory J), nevertheless if the coincidence of factors appears quite strange. For sure, to compromise data of 200.000 users it is likely (I would say obvious) that the attackers exploited other vulnerabilities.

Also the timeline of the breach is clearly noteworthy: it looks like the Citigroup breach happened at the early May, nevertheless the customers were notified Sunday JUne the 5^th : said in few words, a month later. Maybe Citigroup has decided not to warn its customers of too many breaches at the same time (I wonder how many owners of SecurID or PSN members there are between them). Anyway few hours after the notification to Citigroup customers, RSA would have officially announced the evidence of a direct connection between its breach and the one to Lockheed Martin (and the consequent decision to replace the tokens); equally curiously, according to RSA, this evidence was obtained on June the 2^nd, that is approximately three days before the notification by Citigroup to replace the cards to its customers. It is possible (but I repeat this is only a mere personal speculation) that at the moment of notifying its customers, Citigroup was already aware of the direct involvement of the compromised seeds on the Lockheed Martin affair (if I were in RSA’s shoes I would have immediately advised the affected customers), and probably also aware of the RSA offer to replace the compromised tokens. Consequently at that point the Bank realized the true extent of the breach and decided it was the right moment to take adequate countermeasures, first of all notifying the customers, and then finally replacing the tokens, but only after the official RSA statement.

Why Citigroup did not decide to replace the tokens before? The answer is pretty much simple: RSA security breach might cost banks $100 million, so who knows what would have been the cost if Banks should have purchased the new tokens from their own?

In the coming days I will try to follow developments closely, since I am really curious to see it a real involvement of compromised seeds will be identified. For sure we will have to face other similar events in the near future, and I do not exclude other “sons of a (RSA) breach” to come (or better to be unleashed).