Exclusive: Citi skimps on "standard" customer monitoring

By Maria Aspan and Ross Kerber

NEW YORK/BOSTON (Reuters) - After a massive data breach last month, Citigroup did not offer its hacked clients the same degree of identity-theft protection that many other companies provide, drawing criticism from privacy advocates.

Citigroup, which had over 360,000 credit card accounts exposed last month, sent letters to affected customers this month with advice on protecting themselves against identity theft.

But unlike other large U.S. companies breached by cybercriminals, Citigroup did not offer to buy or give all affected customers a year of preventive credit file monitoring services, according to a sample of a letter the bank sent to many customers and filed with regulators in Maine.

A year of monitoring has become a standard offering from large companies after customer information is hacked, to reassure clients and to protect them from identity theft, privacy and consumer advocates said.

"Consumers might want to turn to Citibank and ask them to do more. It's become pretty commonplace to offer credit monitoring these days," Ruth Susswein, the deputy director of national priorities for Consumer Action, told Reuters.

"That's really the standard thing they can do," she said.

The bank did remind consumers they could place a fraud alert on their credit files, which tells lenders to contact consumers before allowing an account to be opened in their name.

Credit monitoring services typically do more, such as tracking consumers' credit reports for signs that their identities have been stolen, and giving them early warnings of the theft.

Citigroup's letter to clients offers special services to customers who believe their identities have been stolen. Bank spokesman Sean Kevelighan said that clients calling a hotline mentioned in the letter would automatically be offered services including at least six months of monitoring.

Hackers failed to steal social security numbers with the Citi data breach. Generally, when social security numbers have not been compromised, there is little risk of new account fraud, said Paul Stephens, director of policy and advocacy for the Privacy Rights Clearinghouse, a San Diego nonprofit that tracks breaches.

But the services are relatively cheap and the offers now seem to be the norm after most breaches, he added.

The bank, already facing regulatory pressure over its delayed disclosure of the breach, now faces additional criticism from the advocates who call its response stingy.

"Citigroup needs to take this recent breach more seriously than they have," said Marc Rotenberg, executive director of the Electronic Privacy Information Center.

Rotenberg, who testified this week before the U.S. Senate's banking committee on cybersecurity in the financial sector, told Reuters that companies generally could take additional steps like reducing the amount of personal data they keep on file.


Citigroup, the third-largest U.S. bank, included a sample of the letter it sent to holders of 703 accounts in Maine, in a filing with the office of state Attorney General William Schneider. Maine is one of a number of states that require organizations to report when personal data is compromised. Officials provided the letter to Reuters in response to an open records request.

In its letter Citigroup advises customers to "remain vigilant during the next 12 to 24 months by monitoring your account activity," and tells them that they can place "fraud alerts" on their credit files.

Kevelighan did not directly say why the bank has not made a broader offer of free credit monitoring to date.

He said the bank is "tracking a nearly 90 percent satisfaction rate with customers contacting us who have been specifically impacted by this," based on assessments by the customer service agents who handle their calls. He also reiterated that customers would not be liable for any unauthorized use of their Citi accounts.

Citigroup has said that its cyberattackers did not steal its customers' social security numbers or card security numbers and "none of the data breached was sufficient to perpetrate fraud."

Privacy and security experts said hackers could still find ways to use customer names, account numbers and email addresses to steal their identities.

"We still think the breach is quite serious," Rotenberg said.

Monitoring hasn't always been common. TJX Companies initially declined to offer the service after it disclosed a major data breach in 2007, but it eventually offered three years of monitoring for some customers as part of a settlement of a class-action lawsuit.

Now the offers are more standard. Other documents from Maine outline a host of other data breaches at dozens of companies, universities and other organizations. In several cases, companies mentioned they would offer free credit-monitoring as part of their response, such as when the RiverSource funds unit of Ameriprise Financial said a former employee failed to return electronic devices containing client names and Social Security numbers.

(Editing by Steve Orlofsky)