In the Citi
Another day, another breach. Yesterday Citigroup was yet one more company that disclosed thieves had accessed private data: Statement From Citigroup, Inc.: During routine monitoring, we recently discovered unauthorized access to Citi’s Account Online. A limited number – roughly one percent – of Citi North America bankcard customers’ account information (such as name, account number and contact information including email address) was viewed. The customer’s social security number, date of birth, card expiration date and card security code (CVV) were not compromised. We are contacting customers whose information was impacted. Citi has implemented enhanced procedures to prevent a recurrence of this type of event. For the security of these customers, we are not disclosing further details. The New York Times wrote a comprehensive article that examined not only the breach, but what politicians and security experts alike had to say about what should, could, and needs to be done to address this ongoing problem. I want to comment on a couple points made at the very end of the article. The first: Likewise, some security experts say encrypting data as it flows across the entire payment network would make data far less vulnerable to being extracted by thieves. However, only a tiny fraction of merchants and processors have upgraded their systems. Mr. Elefant said the industry needed to adopt the encryptions technology more quickly. “Unfortunately, some companies look at breaches as the cost of doing business,” he said. “That’s not the right way to look at it. You need to be as secure as you possibly can be.” Yes- "less vulnerable," but still at risk because encrypted data can be reversed. The industry at-large has begun to acknowledge the sophisticated nature of data thieves, so it needs to further recognize that they are also great at getting around an antiquated measure of protection. Sure, encryption is going to make it harder to obtain the data they are after, but it's really no different than throwing a steep hill and some barbed wire on a marathon course- it will slow the runners down from reaching the end goal, and some may even give up. But the most determined will figure out a way around the obstacle and get what they're after. Also, another VERY critical step large-scale organizations like Citigroup need to take is to ensure they are implementing strong data and network security across ALL divisions. While most act as their own entities, at the end of the day it is one brand, and that is all consumers will remember. One division that is weaker than the next is all it takes to damage a company. And this second one: Others suggest the banks need to do more to enlist their customers, like providing more regular fraud alerts and giving them more control to turn on and off their credit cards. “What they don’t do enough of is engage the identity holder in the war against fraud,” said James Van Dyke of Javelin Strategy and Research, a payments consulting firm. “They greatly prefer to wage this battle solo.” Why should consumers bear the responsibility of "fighting fraud" beyond keeping their personal information close to the vest? Isn't that what people are paying the organizations they entrust their data to for? Banking, investing, etc. is not free. Therefore, security should not be a customer burden.