NEW YORK Major U.S. banks came under growing pressure from banking regulators to improve the security of customer account information after Citigroup Inc became the latest high-profile victim of a large-scale cyber attack.
While Citigroup insisted the breach had been limited, experts called it the largest direct attack on a major U.S. financial institution, and forecast it could drive momentum for a systemic overhaul of the banking industry's data security measures.
The Federal Deposit Insurance Corp is developing new guidance for banks and may ask "some banks to strengthen their authentication when a customer logs onto online accounts," FDIC Chairman Sheila Bair said on Thursday.
Citigroup said late on Wednesday that computer hackers breached the bank's network and accessed the data of about 200,000 bank card holders in North America.
The third-largest U.S. bank waited more than a month before making the full extent of the breach public, drawing criticism on Thursday from lawmakers and lawyers.
Citigroup is the latest in a growing list of companies that have suffered cyber attacks, including Sony and Google Inc.
Security experts said the attack may be a watershed moment for the U.S. banking industry, which until now has suffered fewer direct hacker attacks than retailers.
"We're getting to the tipping point in terms of the number of fraud cases," said Gartner Research security analyst Avivah Litan.
As regulators weigh whether to require more spending on security, "this could be the straw that breaks the camel's back," she said.
Citigroup spokesman Sean Kevelighan said on Thursday that the bank would replace "the majority" of the credit cards affected by the data breach. The bank said its attackers viewed the names of customers, account numbers and contact information, including e-mail addresses.
Citigroup said other information such as birth dates, social security numbers, card expiration dates and card security codes (CVV) were not compromised.
Debit cards were not affected, Kevelighan said on Thursday.
The Financial Times reported on Wednesday that the bank discovered the breach in early May.
Kevelighan on Thursday told Reuters that once the bank became aware of the attack, "we immediately took steps to monitor the impacted customers accounts." But he would not further explain the bank's decision to delay making the breach public, citing security reasons.
Like Sony, which has declared several security breaches of its networks this year, Citi could come under fire for not telling customers sooner.
U.S. Representative Jim Langevin, who follows cyber issues closely, said that data breaches were a fact of life but that companies had to inform customers.
"I was shocked by the report that Citigroup knew that their customers' data was potentially exposed back in early May, but is only now, a full month later, informing the public about this threat to their personal information," he said in a statement.
"I expect to hear more from Citigroup as to the nature of the intrusion and the steps taken to limit exposure of the data of government and private citizens," he said.
Peter Seidman, a partner at Milberg who represents plaintiffs in hacking class actions, said the firm is mulling an investigation of the Citi breach.
"The fact that they waited more than a month before disclosing this is especially troubling," he said.
Kevelighan would not discuss how the breach had occurred.
Another Citi spokesman, James Griffiths in Hong Kong, said the breach had affected 1 percent of North American card customers, which the bank's annual report says total 21 million.
Banks can be particularly attractive targets for cyber criminals, Bair said on Thursday. "It's kind of a constant. It's one of the many risks that you have to deal with.
(Reporting by Maria Aspan; additional reporting by Ross Kerber in Boston, Diane Bartz in Washington and Dan Levine in San Francisco; editing by John Wallace and Gunna Dickson)