Citigroup is facing the prospect of a class action lawsuit over allegations that the company did not adequately secure sensitive data, and that the company made little to no efforts to mitigate risks for customer after the breach was discovered.
Citigroup confirmed in June that an unauthorized network access event in May had compromised the private account details of over 360,000 of North American banking clients, or about 1.5% of their clientele in that market.
Kristina and Steven Orman of Northport, New York, filed the suit in a Manhattan federal court last week, and the plaintiffs are seeking a class-action status for the case, alleging that Citigroup did not make sufficient efforts to prevent fraudulent use of the stolen financial information.
“Defendants have taken no steps that adequately or effectively protect cardholders against illegal use of the cardholders’ sensitive and extensive financial records since the breach,” the plaintiffs state in the court filing.
The suit alleges that Citigroup was more concerned with cost overruns than with providing customers with adequate data security protocols.
“Defendants were willing to accept security risks to save money for the bank while exposing the customer to huge financial risk,” the complaint continues.
Citigroup is also being knocked for failing to explain how it was determined that “more sensitive information like social security numbers, birth dates, card expiry dates and CVV card security codes were not compromised,” according to the complaint.
Officials from the banking giant estimate that $2.7 million was stolen from about 3,400 accounts in the attack.
“Customers are not liable for any fraud on the accounts and are 100 percent protected,“ bank officials said soon after the breach was made public.
Citigroup said they had detected the breach of the Citi Account Online network through routine monitoring of the systems. It appears that only credit card accounts were exposed in the breach, though some reports had suggested that some debit card information may have been involved.
Citigroup immediately reported the security incident to law enforcement and regulatory authorities, but waited about three weeks before beginning the process of notifying potentially affected customers.
The Citigroup breach is considered one of the very few successful hacks against a major banks systems, and underscores the need for continued vigilance by financial institutions and their clients where security best practices are concerned.