SmartMoney Blogs

Pay Dirt
A daily look at what we buy, how we spend, and the companies that do right - and wrong - by their customers.

The Silver Lining in the Citi Credit Card Leak


Citigroup late last night announced that a data breach, which exposed customers’ credit card information, impacted around 360,000 cardholders, or about 1.5% of its roughly 23.5 million North American credit card customers. The hackers accessed customers’ names, account numbers and contact information including email addresses.

A Citi spokesman says the company is contacting customers whose information was impacted. In the meanwhile, Deal Journal suggests several ways cardholders can protect themselves: Request a new card, report problems immediately, that sort of thing.

And while yes, Citi cardholders should do all that, they can also take a deep breath: consumers are well-protected against fraudulent credit card purchases. In general, credit card companies hold customers liable for up to $50 of unauthorized credit card transactions and often times they waive those $50 as well, says a spokeswoman for the American Bankers Association.

If it had been debit card data that had been stolen, on the other hand, consumers would have been in real trouble. In that case, the protections are minimal: the consumer potentially faces losing all the money in their checking account if they don’t report the theft fast enough.

Beyond that, identity theft experts say that the Citi hackers didn’t access enough information to actually use these credit cards for transactions. They’re missing the card expiration date and card security code that’s almost always necessary to make a purchase over the phone or online. “I don’t believe they have enough information, based on everything I’ve seen, to make transactions,” says Jay Foley, executive director at the Identity Theft Resource Center. For consumers, the biggest threat lies in the fact that the hackers have their contact information and could try to “bluff them” to get the other information they need, he says.

Citi says it has implemented enhanced procedures to prevent this breach from occurring again. But regardless of the bank, for consumers using plastic, there will likely be more breaches to come, says Foley. “Consumers can expect to hear more about more of these — the fact of the matter is Citibank, one of the largest banks in the world, suffered an attack.”

Update, June 16: The story has been updated to reflect new numbers from Citi stating that 360,083 customers’ credit card information was compromised. Initial reports from the company stated that roughly 1% — or 200,000 — of its 21 million North American card accounts were affected.


We welcome thoughtful comments from readers. Please comply with our guidelines. Our blogs do not require the use of your real name.

Comments (5 of 8)

View all Comments »
    • Really great and informative post..

    • holding customers accountable for their mistake would hopefully result in 21 million law suits.

    • Contrary to the article, the hackers did get personal information which allowed them to use the cards. I was alerted by an online vendor who thought the order was suspicious. The hackers placed an online order for delivery and pickup at a midwestern storefront. These hackers got more information thank Citibank is admitting, including security codes and account phone numbers.

    • The hackers did get enough information to make fraudulent purchases. My account information was used to make purchases with delivery for pickup at stores in the midwest and I live in the east.

    • This will become commonplace when health care records go online and prescriptions and med files are sent via the Internet. Let’s hope that some of the first medical file breaches involve high gov and corporate “executives.” In the meantime, there has been pathetically little in the MSM on the reckless plan to place very personal files online. Where are the reporters on this?

About Pay Dirt

  • Pay Dirt examines the millions of consumer decisions Americans make every day: What to buy, how much to pay, whether to rave or complain. Lead written by Quentin Fottrell, the blog examines these interactions, providing readers with news, insight and tips on shopping, spending, customer service, and companies that do right – and wrong – by their customers. Send items, questions and comments to quentin.fottrell@dowjones.com or tweet @SMPayDirt.