Full disclosure: I am still coming up to speed on this. As the news was breaking this morning I received a tweet from Dark Reading behind which was a great summary of what’s known so far. Based on what I know so far, I would say that Citibank demonstrated some great practices in dealing with this breach.

First – Citibank was aware of the problem and came forward with a proactive message before some other source could expose them and create an immediate cycle of reactive statements and backpedaling. When you come forward on your own, you set the tone for the entire story.

Second – Citibank had facts and disclosed them effectively. They were able to state that sensitive information was not breached (no social security numbers, dates of birth, card expiration dates or card security codes CVV were compromised). They put the size of the breach in perspective, taking the potentially high impact of a 200,000 account breach and minimizing it by declaring that it represents only 1% of their North American accounts. Translation: Citibank is huge, we serve lots of customers, and this breach impacted only a tiny portion of those customers.

Third – Citibank noted that routine monitoring of their systems identified the breach so that they could take immediate action. This is the sort of proactive monitoring that I’ve been talking about. Citibank is not a client of SenSage, but that won’t prevent me from recognizing their effective practices in this domain : ) But seriously, this “self discovery” and the way it was disclosed (with the credibility of detailed facts) is critical because it gives us consumers more confidence that Citibank really was using the time between breach and disclosure to understand what was going on, minimize the impact and shift to open communication when the time was right for all parties.

Fourth – Citibank supplied guidance on how to be on the alert for phishing attacks looking to exploit this event with or without actual compromised data. They also made it clear that they are contacting impacted customers and undoubtedly are supplying the usual post-breach benefits such as credit monitoring. This last part is the most mundane and easiest to get right, but it’s only appreciated if you’ve done the harder stuff beforehand as noted above.

Breaches are not good. But there’s a right way and wrong way to handle them. Citibank executed pretty textbook if you ask me. And in this day where breaches are raining down on us almost daily, Citibank could actually gain on this event over time.

permalink