Citi Mastercard - Merchant Database Compromise
 

I just learned from Citi that my Citi Mastercard appears to have been compromised as a result of a "merchant database compromise". The account seems to have been closed down relatively quickly and a new card sent out. I'm concerned about a couple of things, though. First, I heard of the problem via receipt in the mail of a new card. I'm a Citigold customer. Maybe a phone call earlier would have been a good idea. Also, what if the security compromise extends somehow to identity theft? Sending a new card to the address on my account could simply involve sending the card to the fraudster? Second, no one (neither Citi nor Mastercard) is able or willing to tell me who the suspected merchant is at this time. Mastercard said that, in about 60-90 days, when the fraud investigation is complete, Citi may be able to provide me with the information (but I'm not holding my breath). I suppose the good thing is that I don't use this card very much, so my list of suspected merchants has only about a half a dozen names, and I can avoid those retailers until I learn more. I'm also concerned that the database compromise resulted from a purchase made through an online purchase made through the Thank You Points earnings mall.

Any suggestions for additional steps I should take to protect my accounts and identity? Thanks

Same thing happened to me, and I was also a bit concerned about what other info the merchant may have had, but Citi wouldn't disclose the name of the merchant to me.

One of my colleagues had the same problem. His Citi Mastercard-branded ATM card was affected (which is scarier, I think).

Well.. this is not new. I believe this actually happened a while back and they've
been sending out new cards in selective batch. I received one a few weeks
back.

Identity theft is possible regardless.. it might be a good idea to put a credit
freeze by calling credit bureaus.

I had the same thing happen to me, and it doesn't make sense. I had two cards cancelled at the same time - my Drivers Edge card and my Citi Professional.

The Citi Profesional I ONLY use for restaurants and nothing else. Nothing. It would be a lot of work, but we could probably all determine a common merchant between our cards if we wanted. I don't eat at too many different places, so I probably only have around ten different merchants for this card ever.

I use my Drivers Edge card ONLY for gas, groceries, and drugstores. There is simply no way for a merchant to have both of these card numbers.

Either there were multiple merchants or something funny is going on.

It could be due to a compromise of the issuing bank itself, VI/MC database
or a card processing company's database compromise.

There's a similar thread started in the Hilton Forum, with people reporting problems with their Citi Hilton Visa. Maybe the threads should be merged? (Not sure how to do this.)

Thread in the HHonors forum:

http://www.flyertalk.com/forum/showthread.php?t=863633

It's interesting that only Citi appears to be affected. To me this is an indication that it wasn't actually a merchant that had its database breached (why would the other CC issuers otherwise not replace their cards?)

If Citi isn't willing to disclose the name of the merchant that causes them *and* me this trouble, I am not willing to do any further business with them.

Anyone here familiar with CA SB1386 and willing to speculate on whether it applies here?

click the report bad post at the corner of the post and give the mods the links to the threads.

Did you use it at a Citi 7-11 ATM? Something happened with them this summer.

I never use my credit card in an ATM, and I almost never use my ATM debit card at all (I charge everything or get cash from my husband).

I've just had my Citibank-issued American Express card go through this process too (notification via online account services, customer service representative confirms it will be deactivated as soon as I activate the automatically sent out new card). This data point shows the problem is not specific to Mastercard numbers, and seems suggestive that the problem is indeed with Citi, and not downline. It will be interesting to see -- does anybody have any non-Citibank-issued cards affected?

I'm quite annoyed -- having just recently had to proactively shut down a Citibank-issued Mastercard because I noticed within 24 hours the fraudulent maximum-at-the-gas-pump charges posting in rapid succession from Florida gas stations, I just moved a bunch of automatic billing arrangements to this American Express card in the past month. Now I have to change them all again. If this really is Citibank's fault... grrr!

Someone is reporting on a Hilton thread that they've just had the same problem with Bank of America. However, most of the reports I've seen since I've been googling the topic in the last few days have involved Citibank.

I've cancelled the replacement Citi card they sent me and don't plan to get another. I get free Citigold service through my employer, so Citi is too good a deal to pass up for now. Also, I doubt that any other major bank is any safer than Citi. Mr Canuck and I are planning to confirm that our money market accounts are de-linked from our ATM cards, and we're just going to keep as little cash in our ATM-accessible accounts as possible.

Wondering if anyone affected by this is in California? I believe that CA law requires notification to customer of details of breech.

Also, IMHO, it is not wise to have credit cards linked to an online accessible bank account. Completely unlinked is wiser/safer.

I received a letter from State Farm Bank dated August 22 that describes "an unauthorized access to a merchant's data processing system". I have a VISA card with them. I received a replacement card around Labor Day.