Citibank N.A. will pay $55,000 to the state and undergo a third-party security audit for failing to act quickly enough to fix a known security vulnerability on its website, Attorney General George Jepsen said.
Hackers were able to access more than 5,000 Connecticut customers’ user accounts through “relatively simple and unsophisticated” methods, according to Jepsen.
Hackers logged in online to Citibank accounts, and then changed characters in the web browser’s URL bar, allowing them to see other accounts.
Jepsen, who investigated the matter with California’s attorney general, said Citibank discovered the breach on May 10, 2011, but did not permanently fix it until May 27.It began notifying customers on June 3.
In the meantime, more than 360,000 customer accounts were accessed by hackers.
The settlement must still be approved by a judge.
