Major U.S. banks came under growing pressure from banking regulators to improve the security of their customer account information after Citigroup Inc became the latest high-profile victim of a large-scale cyber attack.
While Citigroup insisted the breach had been limited, experts called it one of the first big, direct attacks on a major U.S. financial institution, and forecast it could drive momentum for a systemic overhaul of the banking industry's data security measures.
The Federal Deposit Insurance Corp is developing new guidance for banks and may ask "some banks to strengthen their authentication when a customer logs onto online accounts," FDIC Chairman Sheila Bair said on Thursday.
Citigroup said late on Wednesday that computer hackers breached the bank's network and accessed the data of about 200,000 bank card holders in North America.
Security experts said the attack may be a watershed moment for the U.S. banking industry, which until now has suffered fewer direct hacker attacks than retailers.
"We're getting to the tipping point in terms of the number of fraud cases," said Gartner Research security analyst Avivah Litan.
As regulators weigh whether to require more spending on security, "this could be the straw that breaks the camel's back," she said.
Citigroup said the names of customers, account numbers and contact information, including email addresses, were viewed in the breach. The Financial Times said the bank discovered the breach in early May.
Citigroup said other information such as birth dates, social security numbers, card expiration dates and card security codes (CVV) were not compromised.
"We are contacting customers whose information was impacted. Citi has implemented enhanced procedures to prevent a recurrence of this type of event," Sean Kevelighan, a U.S.-based bank spokesman, said by email Wednesday night. "For the security of these customers, we are not disclosing further details."
In the brief email statement, Citi did not say how the breach had occurred.
Another Citi spokesman, James Griffiths in Hong Kong, said the breach had affected 1 percent of North American card customers, which the bank's annual report says total 21 million.
Banks can be particularly attractive targets for cyber criminals, Bair said on Thursday.
"It's kind of a constant," she said. "It's one of the many risks that you have to deal with."
Like Sony, Citi could come under fire for not telling customers sooner.
Sony has reported several attacks, including one in which hackers accessed the personal information on 77 million PlayStation Network and Qriocity accounts. The company was criticized for a delay in telling account holders that their information had been stolen by hackers.
(Reporting by Maria Aspan; additional reporting by Ross Kerber in Boston; editing by John Wallace)