Citibank has agreed to pay $55,000 to settle a complaint by the Connecticut attorney general that the bank was aware of a security flaw in its online banking service that resulted in hackers obtaining payment card data and stealing about $2.7 million.
In the
Under the
The settlement document stipulates that by complying with the judgment, Citi is not admitting any violation of laws or statutes, or failure to comply with any federal or state information security or breach notification law or requirement.
Rather, the settlement calls for Citi in the future to notify Connecticut residents of any security incident involving its online banking services, as well as follow state statutes in notifying the attorney generals office.
The court also acknowledged that Citi reasonably and in good faith believes the individuals whose card accounts were hacked are not in danger of identity theft because hackers obtained only the accountholders name and card payment numbers.
The hackers obtained the data because of vulnerability in Citi's Web-based service called Account Online. The hackers reportedly logged into the system with an account number and password and changed a few characters in the URL to access additional accounts.
The bank also agreed to hire a third party to carry out a security audit of Account Online and will offer two years of free credit monitoring for any affected customers from the state.
The bank has 15 days after the Hartford District Court approves the settlement to pay the agreed-upon amounts. The court is expected to approve the documents on Sept. 10.
Citi did not respond to inquiries about the expected settlement.
Earlier this year, a
