Citi Mastercard - Merchant Database Compromise

Old Sep 9, 08, 6:28 am
  #1  
Suspended
Original Poster
 
Join Date: May 2003
Location: NYC
Programs: United 1K, HHonors Gold, MR Gold
Posts: 1,628
Citi Mastercard - Merchant Database Compromise

I just learned from Citi that my Citi Mastercard appears to have been compromised as a result of a "merchant database compromise". The account seems to have been closed down relatively quickly and a new card sent out. I'm concerned about a couple of things, though. First, I heard of the problem via receipt in the mail of a new card. I'm a Citigold customer. Maybe a phone call earlier would have been a good idea. Also, what if the security compromise extends somehow to identity theft? Sending a new card to the address on my account could simply involve sending the card to the fraudster? Second, no one (neither Citi nor Mastercard) is able or willing to tell me who the suspected merchant is at this time. Mastercard said that, in about 60-90 days, when the fraud investigation is complete, Citi may be able to provide me with the information (but I'm not holding my breath). I suppose the good thing is that I don't use this card very much, so my list of suspected merchants has only about a half a dozen names, and I can avoid those retailers until I learn more. I'm also concerned that the database compromise resulted from a purchase made through an online purchase made through the Thank You Points earnings mall.

Any suggestions for additional steps I should take to protect my accounts and identity? Thanks

Last edited by Kate_Canuck; Sep 9, 08 at 5:47 pm
Kate_Canuck is offline  
Old Sep 9, 08, 11:48 am
  #2  
 
Join Date: Jan 2007
Location: QSF
Programs: UA GS 1.1MM | Marriott Lifetime Titanium | National EE
Posts: 614
Same thing happened to me, and I was also a bit concerned about what other info the merchant may have had, but Citi wouldn't disclose the name of the merchant to me.
BOISJC744 is offline  
Old Sep 9, 08, 1:48 pm
  #3  
Suspended
Original Poster
 
Join Date: May 2003
Location: NYC
Programs: United 1K, HHonors Gold, MR Gold
Posts: 1,628
One of my colleagues had the same problem. His Citi Mastercard-branded ATM card was affected (which is scarier, I think).
Kate_Canuck is offline  
Old Sep 9, 08, 1:53 pm
  #4  
cpx
 
Join Date: Feb 2006
Location: 99654
Programs: Many
Posts: 6,448
Well.. this is not new. I believe this actually happened a while back and they've
been sending out new cards in selective batch. I received one a few weeks
back.

Identity theft is possible regardless.. it might be a good idea to put a credit
freeze by calling credit bureaus.
cpx is offline  
Old Sep 9, 08, 8:37 pm
  #5  
 
Join Date: Oct 2006
Location: DTW
Programs: AA EXP, DL FO
Posts: 1,703
I had the same thing happen to me, and it doesn't make sense. I had two cards cancelled at the same time - my Drivers Edge card and my Citi Professional.

The Citi Profesional I ONLY use for restaurants and nothing else. Nothing. It would be a lot of work, but we could probably all determine a common merchant between our cards if we wanted. I don't eat at too many different places, so I probably only have around ten different merchants for this card ever.

I use my Drivers Edge card ONLY for gas, groceries, and drugstores. There is simply no way for a merchant to have both of these card numbers.

Either there were multiple merchants or something funny is going on.
vxmike is offline  
Old Sep 9, 08, 9:12 pm
  #6  
cpx
 
Join Date: Feb 2006
Location: 99654
Programs: Many
Posts: 6,448
Originally Posted by vxmike View Post

Either there were multiple merchants or something funny is going on.
It could be due to a compromise of the issuing bank itself, VI/MC database
or a card processing company's database compromise.
cpx is offline  
Old Sep 9, 08, 9:19 pm
  #7  
Suspended
Original Poster
 
Join Date: May 2003
Location: NYC
Programs: United 1K, HHonors Gold, MR Gold
Posts: 1,628
There's a similar thread started in the Hilton Forum, with people reporting problems with their Citi Hilton Visa. Maybe the threads should be merged? (Not sure how to do this.)
Kate_Canuck is offline  
Old Sep 9, 08, 9:56 pm
  #8  
 
Join Date: Dec 2006
Location: Pacific Northwest
Programs: UA 1MM, AS MVP, Bonvoyed Gold, Honors Dia, IHG Plat, ...
Posts: 8,590
Thread in the HHonors forum:

http://www.flyertalk.com/forum/showthread.php?t=863633

It's interesting that only Citi appears to be affected. To me this is an indication that it wasn't actually a merchant that had its database breached (why would the other CC issuers otherwise not replace their cards?)

If Citi isn't willing to disclose the name of the merchant that causes them *and* me this trouble, I am not willing to do any further business with them.

Anyone here familiar with CA SB1386 and willing to speculate on whether it applies here?
notquiteaff is online now  
Old Sep 9, 08, 9:59 pm
  #9  
 
Join Date: Aug 2006
Location: CLT
Posts: 7,249
Originally Posted by Kate_Canuck View Post
There's a similar thread started in the Hilton Forum, with people reporting problems with their Citi Hilton Visa. Maybe the threads should be merged? (Not sure how to do this.)
click the report bad post at the corner of the post and give the mods the links to the threads.
gj83 is offline  
Old Sep 10, 08, 8:59 am
  #10  
 
Join Date: Dec 2004
Posts: 6,934
Did you use it at a Citi 7-11 ATM? Something happened with them this summer.
rrgg is offline  
Old Sep 10, 08, 11:27 am
  #11  
Suspended
Original Poster
 
Join Date: May 2003
Location: NYC
Programs: United 1K, HHonors Gold, MR Gold
Posts: 1,628
I never use my credit card in an ATM, and I almost never use my ATM debit card at all (I charge everything or get cash from my husband).
Kate_Canuck is offline  
Old Sep 13, 08, 6:57 am
  #12  
 
Join Date: Nov 1999
Location: SFO
Programs: UA 1.050MM, PersonalCar 0.275MM
Posts: 1,718
I've just had my Citibank-issued American Express card go through this process too (notification via online account services, customer service representative confirms it will be deactivated as soon as I activate the automatically sent out new card). This data point shows the problem is not specific to Mastercard numbers, and seems suggestive that the problem is indeed with Citi, and not downline. It will be interesting to see -- does anybody have any non-Citibank-issued cards affected?

I'm quite annoyed -- having just recently had to proactively shut down a Citibank-issued Mastercard because I noticed within 24 hours the fraudulent maximum-at-the-gas-pump charges posting in rapid succession from Florida gas stations, I just moved a bunch of automatic billing arrangements to this American Express card in the past month. Now I have to change them all again. If this really is Citibank's fault... grrr!
pshuang is offline  
Old Sep 13, 08, 11:00 am
  #13  
Suspended
Original Poster
 
Join Date: May 2003
Location: NYC
Programs: United 1K, HHonors Gold, MR Gold
Posts: 1,628
Originally Posted by pshuang View Post
I've just had my Citibank-issued American Express card go through this process too (notification via online account services, customer service representative confirms it will be deactivated as soon as I activate the automatically sent out new card). This data point shows the problem is not specific to Mastercard numbers, and seems suggestive that the problem is indeed with Citi, and not downline. It will be interesting to see -- does anybody have any non-Citibank-issued cards affected?!
Someone is reporting on a Hilton thread that they've just had the same problem with Bank of America. However, most of the reports I've seen since I've been googling the topic in the last few days have involved Citibank.

I've cancelled the replacement Citi card they sent me and don't plan to get another. I get free Citigold service through my employer, so Citi is too good a deal to pass up for now. Also, I doubt that any other major bank is any safer than Citi. Mr Canuck and I are planning to confirm that our money market accounts are de-linked from our ATM cards, and we're just going to keep as little cash in our ATM-accessible accounts as possible.
Kate_Canuck is offline  
Old Sep 15, 08, 7:03 pm
  #14  
In memoriam
 
Join Date: Jan 2006
Posts: 4,020
Wondering if anyone affected by this is in California? I believe that CA law requires notification to customer of details of breech.

Also, IMHO, it is not wise to have credit cards linked to an online accessible bank account. Completely unlinked is wiser/safer.
biggestbopper is offline  
Old Sep 15, 08, 8:20 pm
  #15  
FlyerTalk Evangelist
 
Join Date: Jun 2000
Location: Benicia CA
Programs: Alaska MVP Gold 75K, AA 3.8MM, UA 1.1MM, enjoying the retired life
Posts: 31,270
Originally Posted by biggestbopper View Post
Wondering if anyone affected by this is in California? I believe that CA law requires notification to customer of details of breech.
I received a letter from State Farm Bank dated August 22 that describes "an unauthorized access to a merchant's data processing system". I have a VISA card with them. I received a replacement card around Labor Day.
tom911 is offline  

Thread Tools
Search this Thread
Search Engine: