Citigroup has confirmed the personal data of over 92,000 customers of Citi Cards Japan (CCJ) has been obtained illegally and sold to a third party in the second breach in the Citigroup fold in the past four months.
Information was allegedly obtained by a supplier and includes account number, name, address, phone numbers, date of birth, gender and date the account was opened. But Citigroup said security information, including personal identification numbers (PINs) and card security codes, was not included and the breach affects CCJ customers only.
Citigroup claimed the risk of fraud is minimal due to the absence of security information. However the bank added that it is monitoring all accounts for suspicious credit card transactions.
CCJ is informing all customers affected by letter and on its website, and has undertaken to re-issue credit cards if requested.
Citigroup has also promised to take "firm action" against parties involved in the information theft, but has given no details of how the customer information was stolen.
In June, the company was forced to re-issue cards to many of the 360,000 Citi Cards customers in the US affected by a breach of Citigroup’s online accounts system in May.
Citigroup Bank investigators found hackers had accessed customer details, including name, account number and contact information. As in the latest breach in Japan, the bank said the data critical to commit fraud, such as the card security code, was not compromised.