Citibank discovers flaw in security

The personal information of more than 2,000 people who applied online for a Citibank N.A. credit card could have been leaked as a result of a computer error, a Citibank executive said yesterday.

The company has suspended the service and will compensate customers if the data they supplied to the company has been leaked, said Victor Kuan (管國霖), Citibank Taiwan's country business manager for consumer banking.

"We closed this online credit-card-application service and the online customer-inquiry service right after we found the flaw," Kuan said.

"We have also begun to check the viewing records of more than 2,200 applicants ... to see if there is a possible leak of information, and if so, the number of customers' whose information has been leaked," Kuan said. "We should be able to get the result by the end of today."

Citibank started offering its online credit-card-application service on Aug. 4, with interest-free credit and other benefits.

But a Kaohsiung teacher, Tsao Chih-cheng (曹志誠), last week gained access to other applicants' personal information while applying online for Citibank's Clear Card.

Tsao told Chinese-language media yesterday that he had immediately informed the bank about the security flaw. But he said he could still browse other customers' information when he tried again on Monday.

Kuan yesterday admitted that there were serious errors in the bank's Internet security management and customer service. But he said that the system failure appeared only in its online credit-card-application service. Citibank's main computer system, which has survived several attacks by hackers hired by Citibank, was secure.

"Citibank will contact the customers whose information is suspected to have been leaked during the period from Aug. 4 to Nov. 11 ... and we will compensate these customers for losses resulting from the leak of information," Kuan said.

Cheng Jen-hung (程仁宏), secretary-general of Consumers' Foundation, warned yesterday that the incident was not unique to Citibank. Cheng said the incident demonstrated the potential problem facing the nation's banking sector because of its ineffective management and insufficient protection mechanisms for customers' personal information.

"According to Article 27 of the Law for the Protection of Computer-Managed Personal Information (電腦處理個人資料保護法), customers can claim compensation of between NT$20,000 and NT$100,000 for the financial losses or other losses resulting from the leak of their personal information," Cheng said. "We will also help the affected consumers claim their compensation through a class-action lawsuit."

The authorities, including the Bureau of Monetary Affairs, should strengthen their supervision over banks' online services to ensure that consumers' rights and interests are not infringed, Cheng said.

The bureau said it had ordered Citibank to close its online application service and suspended the bank's application to open other online services from yesterday, a bureau official said.

"We also asked Citibank to submit a report on its review of this incident and what improvement measures it will take to the Ministry of Finance by Nov. 18, " Huang Tien-mu (黃天牧), the bureau's deputy director-general, said yesterday.

Huang did not say what kind of punishment Citibank might face.