US authorities are demanding Citigroup hand over details of its security after a hacker attack on Citigroup Bank breached the data of many thousands of credit card holders.
According to Citigroup, the breach occurred in early May, but the company began notifying about 200,000 customers and re-issuing cards only last week.
The Connecticut attorney-general, George Jepson, wants to know how much data was exposed. George Jepson is seeking evidence that Citigroup will be able to prevent further breaches.
US law enforcement officials are worried other financial websites could be vulnerable to similar cyber attacks, according to the Financial Times.
The breach is being probed by the US Secret Service as part of its mission to protect US currency. The US Department of Homeland Security is considering whether to notify other institutions about the technique.
By exploiting a website vulnerability, hackers bypassed traditional safeguards to impersonate real credit card holders, according to The New York Times.
Hackers penetrated the bank's defences by logging on to the site reserved for its credit card customers. The Citigroup hackers then used automated tools to insert thousands of different account numbers sequentially into a string of text found in the browser's address bar. This allowed the hackers capture confidential data from Citigroup Bank's database.
Investigators said although the attack method was simple, they had not seen it used against banking institutions before. Investigators said the Citigroup Bank hack was the work of extremely sophisticated attackers.
A joint body of US finance industry regulators is expected to issue revised guidelines shortly, requiring banks to conduct risk assessments and do more to authenticate clients online.