An article relating to this blog post on Finextra:
Citigroup hackers broke in through the public Website - NYTimes
The hackers who made off with the personal account data of 200,000 Citigroup customers allegedly broke into the bank via its public Website, focussing on a simple vulnerability in the browser address...
The data breach at Citi demonstrates the ever increasing sophistication of security attacks and the volume of highly personal data that banks hold. With fraudulent techniques continually evolving, banks, just like any other organisation that needs to be
trusted, must put themselves under constant scrutiny from both internally led teams and independent audit organisations.
In practice, this means ensuring any new or updated applications, whether internal or external facing, are subject to non-functional test cycles, such as penetration testing, before being trusted with any production data.
If the banks want to be seen as trusted guardians of our personal data then they need to tackle the threat of fraud in whichever form it may take. Ultimately it is the responsibility of the banks, and the vendors who support them, to design, build and deploy
robust applications that protect the sensitive data they hold.
Complacency is most definitely not an option.