Watch CBSN Live

Citi Drags Feet on Data Breach. Send in the Regulators!

After its network and servers were hacked, Citigroup reportedly took up to three weeks to tell affected customers. This particular breach affected a reported 200,000 people, and anecdotal evidence suggests that many, if not all, never had a clue until they received their new credit cards.

That's a lot of people, and you can understand why a company would want to know what happened so it could process the necessary account changes, issue replacement cards, and inform the customers actually affected. However, target corporations like Citi move way too slowly, given the speed at which attackers can compromise identities. It's past time for corporations to find a faster way to notify their customers. If they can't do it voluntarily, regulation should compel them.

Granted, trying to unwind the aftermath of a data crack isn't easy. It's not as though those who broke in leave memos detailing what they obtained and released. Technical investigators must sift through reams of systems information for clues.

No time for details
But the corporations don't have time for surety. The widespread availability of data after cyber break-ins is astounding. Confidential sources in the hacker community have demonstrated to me that data in high profile exploits is often freely available. The information can include names, email addresses, passwords, credit card numbers, and much more and can be making wide rounds within days, at most. Hours would be more likely.

Files of tens of thousands and even hundreds of thousands get shared. Then it's only a matter of time before someone decides to make use of the data. Poof: there goes someone's identity.

Corporations, of course, don't want to alarm people unnecessarily -- much less look bad themselves. But freezing internal accounts and eventually sending notifications to consumers is far from sufficient. The highly sensitive data in play can result in all manner of identity fraud, which often takes years to unwind and cure. There may be only a matter of hours before someone becomes a victim, and by then, the comfort of corporate executives is cold, indeed.

Companies should immediately inform consumers and give them the option of doing what makes them feel comfortable, whether that is asking for a new credit card, changing whatever passwords they commonly use, or putting a freeze on their credit profiles.

If the corporations aren't willing to do this voluntarily, then governments should take action. Otherwise, the companies that don't lock down security not only potentially injure many consumers, but they have a bad name to entire industries.


Image: morgueFile user cohdra, site standard license.