Citibank was just hacked and hundreds of thousands of customer accounts were exposed. Of their 21 million credit and debit card holders, one per cent, or approximately 210,000 accounts had their details stolen in this breach of security. Give or take.
Which sounds bad.
And is … to an extent.
But it could have been much worse. The damage done from the security violation was mitigated greatly by Citibank’s good security practices.
First, the unauthorized access to Citi’s Account Online was discovered during routine monitoring. Already a good start, that the access is monitored. The next mitigating factor, only 1% of accounts were exposed. Even better. Further, Citibank is contacting customers whose information was impacted. Good. Citi has already implemented enhanced procedures to prevent a recurrence of this type of event. Great! But best of all? THE most important mitigating factor? Only names, email addresses, contact information, and account numbers were exposed. Birth dates, PINs, SSNs, card expiration dates, card CVV security codes, and the likes of the truly sensitive part of the account details were NOT compromised because THAT information was held on a separate and even more secure server.
(Sony, are you listening?!)
That is how security should be done.
Because, let’s face it, hacks will happen. Security will be breached. It’s not a matter of if, it’s a matter of when, how often, and how bad is it. Good security to prevent being hacked is a great start. But just as important are good policies and practices to mitigate the damage when the inevitable happens. Hackers are determined souls, and let’s face it, computers, having been created by humanity, are just as fallible in hardware and software as we fleshy creatures ourselves are. We might like to pretend otherwise, but nobody is perfect, including the folks who wrote your bestest-of-the-best grade-A number-one security software. We all make mistakes. But we don’t have to all pay through the nose for them if we take security seriously.