As has been widely reported, credit card and banking giant Citi announced it’s network was hacked and that the personal data of thousands of customers may have been accessed, including names, phone numbers, email addresses and, most importantly, credit card numbers. Unlike most people, however, I didn’t hear about this from the media – I found out directly from Citi, because my account was one of the ones compromised. I received a letter stating that my personal data may have been compromised along with a new credit card just a couple days before the news story broke and thus revealing the scale of the hack. Citi is reporting that “roughly 1%” of its customers (approximately 210,000) were affected, but given that companies know how damaging these incidents are to both their public image and their stock price, I think it’s safe to say that that estimate may be on the low side.
Update: it was on the low side. The latest report indicates that the number of hacked accounts was 360,083.
When I called to activate my new card, I was offered a voucher code for 6 months of free credit monitoring along with the expected deep apology and assurance that new security measures had already been implemented to protect my data in a subtle attempt to suggest that this will never happen again (until next time).
The funny thing is that I really haven’t used the Citi credit card number in question for years – either in retail stores or online. In fact, pretty much the only reason I still have an account with Citi is so that I can use their Virtual Account Numbers – a free service available to all Citi cardholders which allows you to create disposable credit card numbers with set limits. Any time I made an online purchase from a lesser-known website, I would create a virtual card number with a limit just above the cost of the item and submit it with the confidence that, if that retailer got hacked and my card number was compromised, I wouldn’t have to go through the hassle of getting a new card, or worse, dealing with fraudulent charges (been there, done that). Rather ironic then that after going through all this trouble to create virtual credit card numbers for my protection, it’s the “real” credit card number which is compromised – and through the issuing bank’s own network no less.
A screenshot of the Citi’s Virtual Account Numbers login.
This and other recent incidents, including the much larger-scale Sony hacks, show that we really can’t trust that our data is safe in the hands of any company, regardless of how big they are and how much they may have a vested interest in trying to prevent such things from happening. Despite the irony of this situation, this only reaffirms my decision to use virtual account numbers as much as possible – and now perhaps even more often with large online retailers, since they could be hit next. Citi is one of the few banks that offer virtual account numbers, which is one of the only reasons I have kept my account with them, as I mentioned. Fortunately they aren’t the only one, and from now on I think I’ll be using Discover’s Secure Online Account Numbers – Discover’s version of the same service (Update: Discover has unfortunately discontinued this service as of September 8, 2011). If you’re a Bank of America credit card holder, you can use their similar Shop Safe service, the only other major bank in the U.S. to offer such a virtual credit card service at this time.