Citi has agreed a $55,000 settlement with the state of Connecticut over a security flaw in its online banking service which enabled crooks to access the account information of hundreds of thousands of customers.
In May 2011 hackers accessed details - including names, account numbers and e-mail addresses - belonging to around 360,000 Citi North American credit card customers and reportedly managed to steal around $2.7 million.
The crooks obtained the data thanks to a vulnerability in Citi's Account Online Web-based service which meant that once they had logged in to the system with an account number and password, they could just change a few characters in the URL to access additional accounts.
According to Connecticut attorney general George Jepsen, not only did Citi know about the security flaw, it may have existed for three years before the attack.
"Citibank represented to its customers that its online system was secured, but ultimately the techniques hackers used to obtain individual account information were relatively simple and unsophisticated," says Jepsen.
With 5066 of the 360,000 affected customers coming from Connecticut, Citi will pay $15,000 in civil penalties to the state's privacy protection guaranty and enforcement account and $40,000 to the state's general fund to resolve allegations of violation of the Connecticut Unfair Trade Practices Act.
The bank has also agreed to hire a third party to carry out a security audit of Account Online and will offer two years of free credit monitoring for any affected customers from the state.