NEW YORK/BOSTON (Reuters)-after a massive data breach last month, Citigroup did not offer its customers hacked the same degree of protection identity theft that provide many other companies, privacy advocates and critics.
For customers interested in Citigroup, which had more than 360,000 credit card accounts exposed last month, has sent letters this month with tips on protecting yourself against identity theft.
But unlike other large u.s. companies, violated by cybercriminals, Citigroup did not offer to buy or give all customers affected one year of credit monitoring services, preventive file according to a sample of a letter, the Bank sent to many customers and filed with the regulators in Maine.
A year of monitoring has become a standard that offers large companies after customer information is violated, to reassure customers and to protect them from identity theft, privacy advocates and consumers, he said.
"Consumers might wish to turn to Citibank and ask them to do more. It has become rather trivial to offer credit monitoring these days, "Ruth Susswein, Deputy Director of the national consumers ' priorities for action, told Reuters.
"This is really what standard they can do," he said.
The Bank did remind consumers that could put a fraud alert on their credit file, which tells creditors to contact the consumer before allowing an account must be opened in their name.
Credit monitoring services typically do more, such as tracking consumer credit reports for signs that their identities were stolen and giving them early warnings of theft.
Letter to Citigroup clients offers special services for customers that consider their identities have been stolen. Bank spokesman Sean Kevelighan said that clients by calling a toll free number mentioned in the letter would be automatically offered services including at least six months of monitoring.
Hackers failed to steal social security numbers with the Citi data breach. In general, when they have been compromised social security numbers, there is little risk of new account fraud, said Paul Stephens, Director of policy and advocacy for Privacy Rights Clearinghouse, a San Diego non-profit that records violations.
But the facilities are relatively inexpensive and offers now seem to be the norm after most of the violations, he added.
The Bank, already facing legal pressure on its disclosure delayed fracture, now faces additional criticism from supporters who call his reply miser.
"Citigroup has need to take this latest violation more serious than what they have," said Marc Rotenberg, Executive Director of the Electronic Privacy Information Center.
Rotenberg, who testified this week before the Senate Banking Committee of the United States for cybersecurity in the financial sector, told Reuters that companies generally require additional steps such as reducing the amount of personal information held on file.
OPEN RECORDS
Citigroup, the third largest u.s. Bank, including a sample of the letter sent to holders of 703 accounts in Maine, in a filing with the Office of the Attorney General William Schneider. Maine is one of a number of States that require organizations to report when personal data is compromised. Officials provided the letter to Reuters in response to an open records request.
In his letter Citigroup advises customers to "remain vigilant over the next 12 or 24 months of your account activity monitoring" and tells them that they can put a "fraud alert" on their credit files.
Kevelighan said did not directly because the Bank did not make an offer wider free credit monitoring to date.
He said the Bank is "detection rate of satisfaction for nearly 90 percent with customers by contacting us in particular, were influenced by this," based on evaluations by customer service agents who manage their calls. He also reiterated that customers would not be responsible for any unauthorized use of their Citi accounts.
Citigroup said its cyberattackers not stealing social security numbers of its customers or card security numbers and "none of the data violated was sufficient to perpetrate fraud."
Privacy and security experts, said hackers could still find ways to use customer names, account numbers and email addresses to steal their identity.
"We still think that the violation is very serious," said Rotenberg.
Monitoring was not always common. TJX Companies initially refused to offer the service after it disclosed a violation of important data in 2007, but eventually offered three years of monitoring for some customers as part of a settlement of a class-action lawsuit.
Now the offers are more standard. Other documents from Maine delineate a myriad of other breaches of the data to dozens of companies, universities and other organizations. In many cases, companies mentioned that would free credit monitoring as part of their response, such as when the RiverSource funds unit of Ameriprise Financial said a former employee was unable to return the electronic devices containing client names and social security numbers.
(Edited by Steve Orlofsky)