Based on the agreement, the bank has agreed to pay a fine of $55,000 to the state of Connecticut and it will execute a third-party data security audit of its online credit card account system.
During the probe, the California attorney general office found that Citibank’s Account Online Web-based service was technical vulnerable, which allowed hackers to access multiple user accounts.
The investigators claimed that the vulnerability was discovered on 10 May 2011 by Citibank. However, the lender failed to incorporate the required measures to thwart the reoccurrence of the same problem until 27 May 2011 and kept the affected customers uninformed until 3 June 2011.
Due to inadequate security measures and insufficient system and controls, hackers accessed account information for over 360,000 Citibank customers, including about 5,066 Connecticut residents.
Attorney General Jepsen said that Citibank represented to its customers that its online system was secured, but ultimately the techniques hackers used to obtain individual account information were relatively simple and unsophisticated.
"This settlement not only ensures that Citibank will be responsive to its customers should this system experience a breach in the future, it also requires the company to review and audit its security protocols," Jepsen added.
Besides reimbursing $40,000 to Connecticut’s General Fund to settle violation of the Connecticut Unfair Trade Practices Act (CUTPA), the lender will pay $15,000 in civil penalties to the state’s privacy protection guaranty and enforcement account, used to compensate the affected consumers.
