Citi Mastercard - Merchant Database Compromise
#46
FlyerTalk Evangelist
Join Date: May 2001
Location: MSY; 2-time FT Fantasy Football Champ, now in recovery.
Programs: AA lifetime GLD; UA Silver; Marriott LTTE; IHG Plat,
Posts: 14,518
I got a new card (AA Visa) from Citi two weeks ago along with a merchant database note. I called today, and like past callers, was told that they didn't have/couldn't tell me who the merchant is.
But the agent actually did suggest I google for "merchant credit card database compromise". This thread came up #1 on that search. Gotta love Flyertalk.
I will say that my past experience with Citi in this area was positive. Several years ago, they called me to validate 4 charges that had been flagged as suspicious. (I hung up and called them back, to ensure it wasn't phishing) and then was able to quickly confirm that the charges were not by me. They immediately removed the charges, sent me an affadavit to sign, and a new card. Changing the number on autopay and other merchant sites is a nuisance, but otherwise it was handled well, and all before I had ever noticed anything amiss.
Happy, thanks for the link, searching now...
Edit to add - I looked back 6 months on the list, and didn't find anyone with whom I'd charged anything. But it was surprising what a high percentage of breaches are at Government or Educational institutions.
But the agent actually did suggest I google for "merchant credit card database compromise". This thread came up #1 on that search. Gotta love Flyertalk.
I will say that my past experience with Citi in this area was positive. Several years ago, they called me to validate 4 charges that had been flagged as suspicious. (I hung up and called them back, to ensure it wasn't phishing) and then was able to quickly confirm that the charges were not by me. They immediately removed the charges, sent me an affadavit to sign, and a new card. Changing the number on autopay and other merchant sites is a nuisance, but otherwise it was handled well, and all before I had ever noticed anything amiss.
Happy, thanks for the link, searching now...
Edit to add - I looked back 6 months on the list, and didn't find anyone with whom I'd charged anything. But it was surprising what a high percentage of breaches are at Government or Educational institutions.
#47
Join Date: Jan 2007
Location: Atlanta
Programs: DL GM, Mar Slv, HH Gld
Posts: 58
Heartland Breach
http://www.2008breach.com/
This is the likely source of many of your compromised accounts.
Funny how so many jumped on various bank conspiracy theories. These breaches are, unfortunately, not that uncommon over time.
And to those looking for disclosure from the bank of the impacted 3rd party -- how would you feel if you were the 3rd party? There are contracts/agreements, criminal and/or civil investigations (and potentially litigation), and other factors that prevent the bank from disclosing this information. Do you think the customer service reps and supervisors are really trying to withhold information from you? They want to keep you as a customer!
This is the likely source of many of your compromised accounts.
Funny how so many jumped on various bank conspiracy theories. These breaches are, unfortunately, not that uncommon over time.
And to those looking for disclosure from the bank of the impacted 3rd party -- how would you feel if you were the 3rd party? There are contracts/agreements, criminal and/or civil investigations (and potentially litigation), and other factors that prevent the bank from disclosing this information. Do you think the customer service reps and supervisors are really trying to withhold information from you? They want to keep you as a customer!
#48
FlyerTalk Evangelist
Join Date: Dec 2006
Location: Pacific Northwest
Programs: UA Gold 1MM, AS 75k, AA Plat, Bonvoyed Gold, Honors Dia, Hyatt Explorer, IHG Plat, ...
Posts: 16,850
#49
Join Date: Jan 2007
Location: Atlanta
Programs: DL GM, Mar Slv, HH Gld
Posts: 58
notquiteaff, please don't interpret that as a personal attack - it was a general observation of human nature.
To know what's really going on, we would need full disclosure from all merchants, merchant processors, and issuers - which we simply do not have. Today is much better than 5 years ago, but still not transparent (and in most cases, timely) to the customer. As you can see from the Heartland issue, it extends well back into 2008, but it's only surfacing to the public today and they are having to do damage control.
I personally agree with erring on the side of caution, although each issuer will have its own decision and justification of what to do in a potential (or real) compromise situation.
To know what's really going on, we would need full disclosure from all merchants, merchant processors, and issuers - which we simply do not have. Today is much better than 5 years ago, but still not transparent (and in most cases, timely) to the customer. As you can see from the Heartland issue, it extends well back into 2008, but it's only surfacing to the public today and they are having to do damage control.
I personally agree with erring on the side of caution, although each issuer will have its own decision and justification of what to do in a potential (or real) compromise situation.
#50
Join Date: Mar 2008
Location: San Jose
Programs: AA PLT 1MM
Posts: 83
Citi decided unilaterally to reissue my card recently, and did so rather ungracefully -- I've started logging in regularly to check current charges, and they just stopped showing up. It wasn't until I saw a discrepancy between what showed up in my credit union's electronic bill delivery ($XXX.XX) and what citicards.com said ($0.00) that I knew something had happened.
And (as with others) they are refusing to tell me what merchant caused them to revoke the card or any other details which might lead me to discover any error I made. This is total BS.
And (as with others) they are refusing to tell me what merchant caused them to revoke the card or any other details which might lead me to discover any error I made. This is total BS.
#51
Join Date: Mar 2008
Location: San Jose
Programs: AA PLT 1MM
Posts: 83
More speculation about major credit card system breaches
#54
Join Date: Sep 2008
Posts: 3
I logged onto my PPE-WE account and saw a message saying there may potentially be unauthorized access to my account so I called right away. They said it was on the merchant side, but said that the merchant was unidentified at this point and that they were sending me a new card.
Yes, a phone call would have been nice...
Yes, a phone call would have been nice...
#55
Join Date: Sep 2007
Location: JFK/EWR/LGA
Programs: AA, AGR, Choice Gold, CitiPrestige, TYP
Posts: 134
I logged onto my PPE-WE account and saw a message saying there may potentially be unauthorized access to my account so I called right away. They said it was on the merchant side, but said that the merchant was unidentified at this point and that they were sending me a new card.
Yes, a phone call would have been nice...
Yes, a phone call would have been nice...
#56
Join Date: Jan 2005
Location: Moscow, Russia
Programs: AA Gold
Posts: 230
Hi all,
Does anyone know if the original security breach that was the topic of this thread was reported in the newsmedia? I've tried googling without any luck.
Someone was asking why people are so worried about it. I'm a case in point. I was on an extended trip abroad in Russia and had called citi ahead of time so that security knew about it and my card didn't get declined all the time. I used the card as a backup to my principal Amex card.
One day I need to use the MC for a business dinner -- DECLINED. Call Citi later to find out that the card had been cancelled and a new one issued and sent out to my US address -- which I'd told them would be inaccessible. Anyone could have gotten that card. No phone call to my US number that works overseas and which I'd given Citi.
I had them sent a replacement overnight to Moscow. Never got there because they sent it regular snail mail. After at least two more tries to get it overnighted, I asked for them to freeze it and send me a bill. Never got the bill.
Little did I know they'd kept the clock running on the account as being overdue (in spite of my not being able to check the account on line or get a bill sent to Russia).
I paid the balance in full (they waived the finance charges when they realized it was their screw up) when I came back two months later and was able to look at a bill.
Problem is that now I need to write a letter of explanation to my explain why I have one $200 late payment on my otherwise excellent credit report.
I was hoping to get some sort of news report or even press release to reference in the letter to show I'm not making this security breach up.
Thanks
Does anyone know if the original security breach that was the topic of this thread was reported in the newsmedia? I've tried googling without any luck.
Someone was asking why people are so worried about it. I'm a case in point. I was on an extended trip abroad in Russia and had called citi ahead of time so that security knew about it and my card didn't get declined all the time. I used the card as a backup to my principal Amex card.
One day I need to use the MC for a business dinner -- DECLINED. Call Citi later to find out that the card had been cancelled and a new one issued and sent out to my US address -- which I'd told them would be inaccessible. Anyone could have gotten that card. No phone call to my US number that works overseas and which I'd given Citi.
I had them sent a replacement overnight to Moscow. Never got there because they sent it regular snail mail. After at least two more tries to get it overnighted, I asked for them to freeze it and send me a bill. Never got the bill.
Little did I know they'd kept the clock running on the account as being overdue (in spite of my not being able to check the account on line or get a bill sent to Russia).
I paid the balance in full (they waived the finance charges when they realized it was their screw up) when I came back two months later and was able to look at a bill.
Problem is that now I need to write a letter of explanation to my explain why I have one $200 late payment on my otherwise excellent credit report.
I was hoping to get some sort of news report or even press release to reference in the letter to show I'm not making this security breach up.
Thanks
#57
Join Date: Mar 2008
Location: San Jose
Programs: AA PLT 1MM
Posts: 83
Citi customer service went beyond unhelpful into actively misleading when I attempted to find out why they revoked my card; I think it's unlikely that they will allow you to connect their revocation of your card with any particular publicly disclosed incident.
#58
Join Date: Nov 2006
Location: AUS
Programs: AA PLT
Posts: 82
Citi is still replacing cards
I just got a replacement Citi AA Visa in the mail yesterday under the same 'merchant database compromise' notice. Never had a prior replacement.
Does anyone know whether they're still replacing cards under the earlier 2008 breach? Or is there a more recent one in the news?
Does anyone know whether they're still replacing cards under the earlier 2008 breach? Or is there a more recent one in the news?
#59
Join Date: Mar 2008
Location: San Jose
Programs: AA PLT 1MM
Posts: 83
I just got a replacement Citi AA Visa in the mail yesterday under the same 'merchant database compromise' notice. Never had a prior replacement.
Does anyone know whether they're still replacing cards under the earlier 2008 breach? Or is there a more recent one in the news?
Does anyone know whether they're still replacing cards under the earlier 2008 breach? Or is there a more recent one in the news?
If this is fallout from the Heartland incident, the "merchant database compromise" notice is at best misleading and at worst an outright lie, as Heartland isn't what I'd think of as a "merchant" -- it's a service provider to merchants.
Card revocations from the heartland incident continue to make the news. See:
http://www.omaha.com/article/2009063...019980/-1/NEWS
http://www.bankinfosecurity.com/arti...hp?art_id=1568
Perhaps Heartland didn't actually plug all the holes and is still being actively exploited -- I can't think of any other reason why the revocations are still dribbling out.
#60
Join Date: May 2009
Posts: 6
Those that know at citi aren't talking
If this is fallout from the Heartland incident, the "merchant database compromise" notice is at best misleading and at worst an outright lie, as Heartland isn't what I'd think of as a "merchant" -- it's a service provider to merchants.
Card revocations from the heartland incident continue to make the news. See:
http://www.omaha.com/article/2009063...019980/-1/NEWS
http://www.bankinfosecurity.com/arti...hp?art_id=1568
Perhaps Heartland didn't actually plug all the holes and is still being actively exploited -- I can't think of any other reason why the revocations are still dribbling out.
If this is fallout from the Heartland incident, the "merchant database compromise" notice is at best misleading and at worst an outright lie, as Heartland isn't what I'd think of as a "merchant" -- it's a service provider to merchants.
Card revocations from the heartland incident continue to make the news. See:
http://www.omaha.com/article/2009063...019980/-1/NEWS
http://www.bankinfosecurity.com/arti...hp?art_id=1568
Perhaps Heartland didn't actually plug all the holes and is still being actively exploited -- I can't think of any other reason why the revocations are still dribbling out.