What You Can Do If Your Bank Has Been Hacked: Not Much

Citigroup has admitted that several thousand customers lost more than $2 million not by misplacing their credit cards, falling victim to scammers or making risky gambles. Their only mistake: trusting the bank with their data.

By no fault of their own, consumers that entrust companies with their personal information -- something that has essentially become mandatory in a day and age where every click, swipe, note and check can be immediately and cheaply stored on servers -- are being put at risk for theft and fraud because corporations can't defend themselves against hackers aiming to pilfer vast troves of data consisting of names, email addresses, credit card numbers and more.

Citigroup told government officials that $2.7 million had been stolen from 3,400 consumers after hackers compromised credit card information belonging to over 360,000 accounts, according to Businessweek. While the account holders will be reimbursed by the company, Citigroup cannot retrieve their data, which included names and contact information.

The bank is one of several corporations that have suffered major online security breaches. Earlier this year, over 100 million users had their names, passwords, addresses and email addresses stolen by hackers that broke in to Sony’s servers, while Epsilon, an email marketing provider that sends 40 billion emails a year for over 2,500 clients, acknowledged hackers had accessed its list of names and email addresses.

This rash of cyberattacks highlights the new risks consumers face as more and more information about their bank balances, shopping habits, friends and hobbies is being stored on remote servers that are vulnerable to break-ins by hackers around the world. These breaches also underscore how powerless customers are: Once they have handed over their data, there’s little they can do to safeguard it. Though users can take precautions, such as steering clear of malicious software and being wary of fake phishing sites, to ensure they are not personally attacked, experts say there’s really only one thing that individuals can do to prevent hackers from breaking into companies’ databases: cross their fingers.

“There’s not much that consumers can do when Citibank gets hacked,” said Jeremiah Grossman, the chief technology officer of WhiteHat security, a web security company. “They can protect themselves from getting hacked, but not Citibank. That’s outside their control.”

Analysts predict that the number, scale and sophistication of cyberattacks targeted at corporations -- and the data they hold -- will continue to grow. And though companies may fortify their defenses after each successful breach, hackers are likely to stay at least one step ahead, they warn.

“Everyone’s data is out there and everyone uses online systems, so breaches have been the natural course of events and they will continue to be,” said Grossman. “No one would say the breaches will stop or even slow down at this point. Companies will become more secure, then the bad guys will shift tactics.”

Consumers cannot verify that a company is doing everything in its power to protect their information, such as encrypting the data, using updated software and maintaining logs of everything going into and out of its servers. But individuals can mitigate the damage they would suffer from a data breach by being choosy about what information they share with services and in some cases, lying about the personal details they pass along.

Of course, some sites need honest answers -- giving Amazon.com a fake address would make it all but impossible to effectively order books -- but other websites need not necessarily know when you were born or where. Experts recommend that users invent the answers to security questions that are used to recover lost or forgotten password to ensure that if the "secret answer" to one account is compromised, others will not be vulnerable. Gmail will not know that "Batgirl" was not your mother’s maiden name.

“You need to think about whether you need to tell the truth to certain organizations,” said Graham Cluley, a senior technology consultant at Sophos, a security provider . “Sony has no way of verifying my date of birth. If you haven’t told the truth then you doesn’t matter if you lose that data, you haven’t lost anything that matters.”

Users can also mitigate the effect of a hack by ensuring that they use a different password for every account they have on the web. If hackers gain access to a trove of usernames and passwords, they may attempt to use that information log into other accounts, and one compromised account could quickly put every other at risk.

"Even if your password at Sony is compromised, let’s make sure that that doesn’t unlock any other doors for hackers," said Cluley. "You should use a different password for each site, it limits how far hackers can spread the harm."

Though no company is invulnerable to cyberattacks, consumers concerned about the safekeeping of their personal information ultimately have the option to turn their backs on firms that don’t demonstrate a commitment to safeguarding their data. Corporations that lose users' trust also lose their dollars and their data, and web giants like Facebook and Google have repeatedly said that their success is tied directly to how users perceive the safety of their information.

“More fool you if you keep on working with a company which has a poor track record of looking after these things,” Cluley said. “My hope is that individuals will begin to put more emphasis on security and the track record of how well these companies keep track of our data than on some of the bells and whistles they might offer.”