Citi Mastercard - Merchant Database Compromise
#16
FlyerTalk Evangelist
Join Date: Dec 2006
Location: Pacific Northwest
Programs: UA Gold 1MM, AS 75k, AA Plat, Bonvoyed Gold, Honors Dia, Hyatt Explorer, IHG Plat, ...
Posts: 16,845
yes, I refered to CA state law and the notification requirement in my msg to Citi requesting info about the merchant.
#17
FlyerTalk Evangelist
Join Date: Dec 2006
Location: Pacific Northwest
Programs: UA Gold 1MM, AS 75k, AA Plat, Bonvoyed Gold, Honors Dia, Hyatt Explorer, IHG Plat, ...
Posts: 16,845
Well, I never got the promised written response from whatever department the online customer support directed my question about the merchant name to. I sent them a follow-up today indicating that I will close my account if I don't hear back. The response, basically, was "we can't tell you due to possible pending legal action against the merchant."
I'll close my account and send a little note to the CA AG's office to see if they feel this disclosure is required under CA law. Might as well get something for my taxes
I'll close my account and send a little note to the CA AG's office to see if they feel this disclosure is required under CA law. Might as well get something for my taxes
#18
Join Date: Jun 2006
Location: Houston, TX
Posts: 166
#19
FlyerTalk Evangelist
Join Date: Aug 2001
Programs: DL GM, AA Gold, Hilton Diamond, Bonvoy Plat
Posts: 12,171
Why do you guys care?
You can't have your identity stolen by having a card stolen. You need to have your SSN lifted for that to happen.
For credit cards, the issuer (Citi) and ultimately the merchant accepting the stolen card is on the hook for any fraud, not you. That's why so many of them are asking for ID at purchase time.
Debit cards don't offer as much protection. I never use them.
Keep an eye on your statements (which you probably do anyway), if you see anything hinky, call the card issuer.
There are better things to worry about. Like the economy.
You can't have your identity stolen by having a card stolen. You need to have your SSN lifted for that to happen.
For credit cards, the issuer (Citi) and ultimately the merchant accepting the stolen card is on the hook for any fraud, not you. That's why so many of them are asking for ID at purchase time.
Debit cards don't offer as much protection. I never use them.
Keep an eye on your statements (which you probably do anyway), if you see anything hinky, call the card issuer.
There are better things to worry about. Like the economy.
#20
Join Date: Feb 2006
Location: 99654
Programs: Many
Posts: 6,450
(Most banks even waive this amount.. but you are at the bank's mercy)
Provided that you notify the issuing company as soon as you find out about it.
In this case, the issuer found out about it before you did so the bank would be
on the hook. Merchants might not be on the hook in many cases.
#21
FlyerTalk Evangelist
Join Date: Dec 2006
Location: Pacific Northwest
Programs: UA Gold 1MM, AS 75k, AA Plat, Bonvoyed Gold, Honors Dia, Hyatt Explorer, IHG Plat, ...
Posts: 16,845
(a) I don't like to be lied to. ("you'll get a reply within 15 days...")
(b) Changing the credit card number causes me and everyone else affected all kinds of hassle.
(c) It appears only Citibank cards were recalled, so how can this be a merchant breach? The whole thing seems fishy
(d) if companies are not being held responsible for breaches of confidential data, they are not going to take their responsibilities seriously.
There are indeed other things to worry about as well, like the economy. But it's not an either/or situation. Sending a request to the Cal AG's office won't take me much effort, and I don't have much use for the Citibank card anymore as I had to switch all automatic debits anyway. Besides, what I can actually do about the economy, other than worry.
(b) Changing the credit card number causes me and everyone else affected all kinds of hassle.
(c) It appears only Citibank cards were recalled, so how can this be a merchant breach? The whole thing seems fishy
(d) if companies are not being held responsible for breaches of confidential data, they are not going to take their responsibilities seriously.
There are indeed other things to worry about as well, like the economy. But it's not an either/or situation. Sending a request to the Cal AG's office won't take me much effort, and I don't have much use for the Citibank card anymore as I had to switch all automatic debits anyway. Besides, what I can actually do about the economy, other than worry.
#22
FlyerTalk Evangelist
Join Date: Aug 2001
Programs: DL GM, AA Gold, Hilton Diamond, Bonvoy Plat
Posts: 12,171
According to FTC, you could still be on the hook for $50 in case of a fraud.
(Most banks even waive this amount.. but you are at the bank's mercy)
Provided that you notify the issuing company as soon as you find out about it.
In this case, the issuer found out about it before you did so the bank would be
on the hook. Merchants might not be on the hook in many cases.
(Most banks even waive this amount.. but you are at the bank's mercy)
Provided that you notify the issuing company as soon as you find out about it.
In this case, the issuer found out about it before you did so the bank would be
on the hook. Merchants might not be on the hook in many cases.
Never paid a dime out of pocket.
#23
FlyerTalk Evangelist
Join Date: Aug 2001
Programs: DL GM, AA Gold, Hilton Diamond, Bonvoy Plat
Posts: 12,171
There are indeed other things to worry about as well, like the economy. But it's not an either/or situation. Sending a request to the Cal AG's office won't take me much effort, and I don't have much use for the Citibank card anymore as I had to switch all automatic debits anyway. Besides, what I can actually do about the economy, other than worry.
You're also making a false assumption that a merchant CC breach is equivalent of a personal data breach. The two are entirely different.
#24
FlyerTalk Evangelist
Join Date: Dec 2006
Location: Pacific Northwest
Programs: UA Gold 1MM, AS 75k, AA Plat, Bonvoyed Gold, Honors Dia, Hyatt Explorer, IHG Plat, ...
Posts: 16,845
I think you're wasting the AG's time. A company or government agency losing an SSN (or other personal data) is one thing. A CC is quite another. You're not at any risk in the latter.
You're also making a false assumption that a merchant CC breach is equivalent of a personal data breach. The two are entirely different.
You're also making a false assumption that a merchant CC breach is equivalent of a personal data breach. The two are entirely different.
So I'll leave it to the Cal AG's office to make the determination of whether they have violated CA state law.
#26
FlyerTalk Evangelist
Join Date: Jun 2008
Location: Rural TN (but WAS native)
Programs: National Executive Elite, none of the others matter
Posts: 23,823
Mine was labeled "Russian Card Compromise". I received an authenticated E-mail message yesterday saying to log into my account urgently - I tried but my information wasn't recognized. Today, I received a new ATM card saying the old one was to be deactivated in mid November. Anyway, here's the message that was waiting in my online account; it was for a checking / saving combination that has three of my credit cards directly linked.
**********************************
Dear Citibank Customer,
Citibank recently discovered that your Citibank Banking Card may have been compromised. To protect you and your account, certain precautionary measures have been taken, which include reducing your daily ATM limit and issuing a new Citibank Banking Card to replace your existing card.
We ask that you assist in this effort by taking the actions noted below:
1. Activate your new card immediately.
- Your ATM limit will be increased to the original amount on the next business day following activation.
- Activating your new card will immediately deactivate your current card.
- Your current card will be deactivated on November XX, 2008.
2. Change your Personal Identification Number (PIN) immediately.
- As a general practice, we recommend you change your PIN periodically to prevent risk of unauthorized access to your account.
- You can change your PIN on www.citibankonline.com, at any Citibank ATM or at any Citibank Financial Center in the United States.
3. Review your account activity, if there are any transactions you do not recognize.
- Please contact us at any of the following numbers and our representatives will assist you:
1-888-248-4226 CitiPhone
1-800-360-2484 Spanish language calls
1-800-945-0258 Text Telephone Service
If you are traveling outside of the United States and need to contact us for other options, please use the international collect telephone number on the back of your Citibank Banking Card. Citibank will pay for the call.
The security and protection of our customers is our most important priority. We sincerely apologize for any inconvenience that the protective steps we have taken may cause you, and appreciate your attention to this important matter.
Sincerely,
XXXXXXXXXXXXXXXXXXX
Executive Vice President
Director, Citibank Client Services
**********************************
Dear Citibank Customer,
Citibank recently discovered that your Citibank Banking Card may have been compromised. To protect you and your account, certain precautionary measures have been taken, which include reducing your daily ATM limit and issuing a new Citibank Banking Card to replace your existing card.
We ask that you assist in this effort by taking the actions noted below:
1. Activate your new card immediately.
- Your ATM limit will be increased to the original amount on the next business day following activation.
- Activating your new card will immediately deactivate your current card.
- Your current card will be deactivated on November XX, 2008.
2. Change your Personal Identification Number (PIN) immediately.
- As a general practice, we recommend you change your PIN periodically to prevent risk of unauthorized access to your account.
- You can change your PIN on www.citibankonline.com, at any Citibank ATM or at any Citibank Financial Center in the United States.
3. Review your account activity, if there are any transactions you do not recognize.
- Please contact us at any of the following numbers and our representatives will assist you:
1-888-248-4226 CitiPhone
1-800-360-2484 Spanish language calls
1-800-945-0258 Text Telephone Service
If you are traveling outside of the United States and need to contact us for other options, please use the international collect telephone number on the back of your Citibank Banking Card. Citibank will pay for the call.
The security and protection of our customers is our most important priority. We sincerely apologize for any inconvenience that the protective steps we have taken may cause you, and appreciate your attention to this important matter.
Sincerely,
XXXXXXXXXXXXXXXXXXX
Executive Vice President
Director, Citibank Client Services
#28
In memoriam
Join Date: Jan 2006
Posts: 4,020
I am amazed at the number of FTers in this thread who believe that they are not on the hook for defective credit card security. Yeah, that's sort of what the law says, but the reality ...
Over the years I have dealt with many, many cases where the bank or merchant screwed up or was just plain crooked--and held or tried to hold the card user responsible. Otherwise, the bank or merchant has to eat the charge and they don't want to do it.
As a cursory reading of the newspaper these days indicates, anyone who relies on a bank to do the right thing is likely to be disapointed.
Over the years I have dealt with many, many cases where the bank or merchant screwed up or was just plain crooked--and held or tried to hold the card user responsible. Otherwise, the bank or merchant has to eat the charge and they don't want to do it.
As a cursory reading of the newspaper these days indicates, anyone who relies on a bank to do the right thing is likely to be disapointed.
#30
Join Date: Feb 2006
Location: 99654
Programs: Many
Posts: 6,450
had shipped them to a wrong address... in some remote part of the country.
Yes.. this was Citibank.