Blog article
See all stories ยป

An article relating to this blog post on Finextra:

Citi raises the numbers hit by data breach

The Citi data card breach compromised 360,000 customer accounts - 80% more than the figure initially reported - and forced the bank to re-issue 218,000 cards to affected customers.

See article

Citi demonstrates lack of good Security practice - ditto BBC

As reported, this greatly surprises me - apparently placing the Credit Card number within the URL, and thus by changing the URL exposes other Credit Card details within having to go through the Access Validation routine.

On the one hand you'd assume the system designers didn't 'actually' specify it to be this way, but that the programmer didn't ask for further instruction, so just thought it was a good idea?

I found a similar instance a few years ago with a world leader in Applicant/Employee Background checking, who was going to place the Applicant/Employee Name in the clear within the SMTP Header along with their Risk rating, until I asked for it to be anonymised, and the personally identifiable information to be encrypted. "No-one had ever complained before"

However, surely someone inside or outside Citi (even a Citi employee who was a customer) should have noticed that the Credit Card was exposed before this, and complained? I certainly would have.

However, on a much lower scale of sensitivity, I joined the BBC Good Food website the other week, which requires a UserId and Password. To confirm my enrolment they sent me a single e-mail with both my User ID & Password in the clear - so no hashing there then - just the same as Sony. I assume if the BBC operate any that involve Credit Card details they'll be a little more diligent with their enrolment process?


Comments: (1)

Ketharaman Swaminathan
Ketharaman Swaminathan - GTM360 Marketing Solutions - Pune 17 June, 2011, 13:28Be the first to give this comment the thumbs up 0 likes

Hopefully, this incident at Citi brings about a sea change in website security gaffes that are, unfortunately, not too rare. For example, the website of a leading European-Indian insurance JV in India displayed the automobile insurance policy # on the browser's address bar. Anyone could help themselves to the policyholder name, contact info, car make and model, sum assured and premium. To make it even easier for competitors to harvest a rich contact list to go after, policy #s were sequential! No need to generate random policy #s or apply mod10 checks: +1 or -1 to the displayed policy # was enough!  

Keith Appleyard

Keith Appleyard

IT Consultant

available for hire

Member since

17 Aug 2007



Blog posts




This post is from a series of posts in the group:


A place to share stuff that isn't at all fintec related but is amusing, absurd or scary.

See all

Now hiring