Citigroup Data Breach Criticism Misdirected

If we are going to criticize Citigroup for what is being called a “stingy” breach response for their recent compromise of some 360,000 credit card accounts, let’s make sure the criticism is for the right reason. In an article published Friday in The Globe and Mail titled "Citigroup did little to assist victims of a privacy breach, critics say", Citigroup was called out because “they did not offer its hacked clients the same degree of identity theft protection that many other companies provide.”

While I accept the premise that credit monitoring has become the norm in virtually all kinds of privacy data breaches, that doesn’t mean that it is always the correct response. ID Experts has always maintained that the entity that suffers from a compromise of client/customer/employee/patient data needs to customize the response to what was actually lost. Certainly, if social security numbers are involved then you definitely should provide at least 12 months of credit monitoring, although we recommend at least 24 months given that hackers will often sit on the data knowing that your accounts are being monitored for a limited period of time. But if it is just name, address and credit card number, full-on credit monitoring is probably overkill and will not identify that your credit card number is being used without your knowledge until possibly months later when the credit card company reports to the credit bureau that you have not paid your entire bill. But you should have already known that because either your credit card statements included false charges or they stop coming entirely (because the bad guy has misdirected your mail).

A better and more custom response, in this case, would be to have the breaching organization provide new credit account numbers and cards to all impacted individuals and offer some kind of cyber-monitoring (which can monitor for your old number showing up on the web in chatrooms where such information is bought and sold). I would recommend you also set up a service that notifies the victim anytime a change of address for the credit account is requested.

The point is that there are scores of different types of privacy data that can be breached. Medical data, employment data, passport info, mortgage accounts, mother’s maiden name, email passwords….the list is only limited to your imagination (or that of the criminals). The idea that the proper response to any and all breaches of privacy data is credit monitoring is something that puts smiles on the faces of the execs at the credit bureaus, but could easily put a big frown on the face of the individual victim.