Citi Hackers Got Away With $2.7 Million

angry tapir writes "Citigroup suffered about US$2.7 million in losses after hackers found a way to steal credit card numbers from its website and post fraudulent charges. Citi acknowledged the breach earlier this month, saying hackers had accessed more than 360,000 Citi credit card accounts of U.S. customers. The hackers didn't get into Citi's main credit card processing system, but were reportedly able to obtain the numbers, along with the customers' names and contact information, by logging into the Citi Account Online website and guessing account numbers."

Re:Can you see the dialogue happen at citi?

[Nidi62]

CSO: Sir, we had a security breach! Credit card data was stolen and we lost money. We should up our security budget and improve our security standards!

CEO: This ... is bad, right? But ... no, I'll just tell finance to add the damage to our next bailout request. How much is it?

CSO: 2.7 millions.

CEO (enraged): 2.7 millions? You waste my time for that? I make more than that in bonuses every year, even when we lose money. Get the hell out of my office and come back when something serious happens!

Fixed that for you

Re:PCI compliant?

[Opportunist]

Compliance auditing is a circle jerk business. It's like peer review, just worse, insofar that there are no "honest" people in the game that could debunk the scheme. They're all in for the money.

One thing you learn quickly as a young, aspiring and motivated auditor is that your job is not to test whether the company you audit is compliant. Your job is to make sure they are. Why? Because we want to be rehired for the checkup in a year, DUH! And because your first audit in a company is your foot in the door for other audits, and especially with BIG companies, there's a lot of things you can audit and certify, and all means moolah. Being "stubborn" means that your company will not be rehired and you will be fired.

Quick question for 100 (or, in auditor's terms, 5 minutes of work): What's your goal when auditing?

So I don't fear for their PCI cert. They will certainly be audited, this hole will be sealed, a lot of checkboxes will be ticked off (btw, transfer security is a very minor point in PCI-DSS compliance. Don't ask me why, I didn't make the cert requirements, I just have to endure them) and they will pass.

Re:PCI compliant?

[shoehornjob]

About 5 years ago I worked for a compliance unit in the brokerage section of Citi. Prior to the creation of this unit managers in different departmets were responsible for making sure their employees were in compliance. When I started there we found that the firewall guys were granting access to whole segments of ip addresses instead of just the 7 or 8 that were needed. We also found the Unix guys were not deleting access to highly sensative databases after employees left the company. Something tells me that the culture of ignorance in that place isn't going to stop any time soon. About 2 years after our group was formed they sent our jobs over to India. We were only there to develop the process and iron out the kinks. They gave the crew in India a month to learn our process manual and 8-9 months later they still didn't get it. Lets add greed to a culture of incompetance. BTW that's where the name shoehornjob comes from. For a while there the manager would come to us and shoehorn in new processes without review or vetting them.