As reported, this greatly surprises me - apparently placing the Credit Card number within the URL, and thus by changing the URL exposes other Credit Card details within having to go through the Access Validation routine.
On the one hand you'd assume the system designers didn't 'actually' specify it to be this way, but that the programmer didn't ask for further instruction, so just thought it was a good idea?
I found a similar instance a few years ago with a world leader in Applicant/Employee Background checking, who was going to place the Applicant/Employee Name in the clear within the SMTP Header along with their Risk rating, until I asked for it to be anonymised,
and the personally identifiable information to be encrypted. "No-one had ever complained before"
However, surely someone inside or outside Citi (even a Citi employee who was a customer) should have noticed that the Credit Card was exposed before this, and complained? I certainly would have.
However, on a much lower scale of sensitivity, I joined the BBC Good Food website the other week, which requires a UserId and Password. To confirm my enrolment they sent me a single e-mail with both my User ID & Password in the clear - so no hashing there
then - just the same as Sony. I assume if the BBC operate any that involve Credit Card details they'll be a little more diligent with their enrolment process?