ekimminau's Journal: Merchant DB hack compromises MasterCard CC #s

At 4:30PM EST today, 15 August 2007, I logged into the CitiBank website for my CitiBank MasterCard (referred to from here on as CB MC)and was surprised to be presented with a blinking red notification that my card had been flagged for "suspicious activity". I was directed to contact CitiBank customer service. What follows is my efforts to determine what has happened.

4:35PM My wife called Citibank customer service # on the back of my card, 800-633-7367. Was told "A merchant where you have used your CB MC has had their database compromised. A new card was issued and mailed to you on August 13. You will not be responsible for any illegitimate charges that may occur, if any."

4:50PM I called back customer service and was answered by an operator who could barely speak english.
I requested the name of the Merchant who compromised my account, the date it was compromised and wanted to know why the Merchant had not contacted me as required by law.
I was told that customer service doesn't have this information. I asked to be transferred to a supervisor. Was transferred to "Account Manager Lillian, TELU368". She repeated the same song.
I asked to speak to her manager (Mrs. Mazingo, the CRT Manager) who was "unavailable".
I asked to speak to HER manager (Mrs. Woodward, the Operations Manager). She wasn't available either. I requested the process to request executive intervention and was told that such a process doesn't exist (I know that it does) but I could either write a letter or wait up to 48 hours for a return call from the CRT Manager. I requested the call back. It is 5:00PM.

5:00PM I dial directory assistance for "The Lakes, NV 89163", the PO Box # address on the back of my card. No offices but several CitiBank branches. I ask for the Main Branch.

5:05PM I call The Lakes, NV Branch, 702-870-9262 and ask to speak to the Branch Manager. I am transferred to the Operations Manager, Maria, and explain the situation. She did not know where the corporate offices are or where the executives are but she committed to calling internally to see if she could get some help. She will try to call back today.

5:30PM I start digging on the internet and find the Internet Security SPecialists for CitiGroup USA U.S. Cards Division at 1-888-285-9696. I call and speak to Anthony, MCA0198. He doesn't know where business office or executives are. I ask to speak to a manager.

5:35PM Transferred to "Nancy Wilson, Account Manager #KCP0008". I explain the situation to her again and she tells me that "CitiBank can't give you the information you are requesting (name of the Merchant who compromised my account, the date it was compromised and wanted to know why the Merchant had not contacted me as required by law) because there is still pending litigation (just like when TJMaxx happened).

She did tell me that the President of U.S. Cards for Citigroup is Kendall (Ken?) Stork and he and the "Presidential Unit" (The group that handles Executive Intervention - AHA!) are located in Sioux Falls, SD. She said if I write a letter to:
Kendall Story
Presidential Unit
P.O. Box 6000
Sioux Falls, SD 57117

That is the only way my concern could be escalated to his attention. I hang up. It is 5:42 PM. I start typing this journal entry.

5:44PM Phone rings. It is Maria from Las Vegas. There is still an ongoing investigation. A new card has been sent. blah blah blah. She recommends I contact MasterCard International. I thank her.

5:48PM. clickety-click. http://www.mastercard.com/us/gateway.html
Company Info, Contact Us
2000 Purchase St.
Purchase, NY 10577
1-914-249-2000

I call and wait for the security desk to answer. I ask to be transferred to the "Presidential Unit". A nice man tells me that I am too late, they close at 5:00PM. I ask if I am at the right place for the presidential Unit. He says yes, and to call back between 9:00AM and 4:00PM. Whether or not they will transfer me to the Presidential Unit is another story. I thank him and continue typing.

6:05PM Rrrring. This is Mrs. Tabler, TELT667, from the Maryland Office of CitiBank in Maryland. Your account was noted my TJMaxx/Marshalls to MasterCard Intl. and was reported to us on August 9th. We do not know when your account was compromised. We were notified on the 9th and you should have your written notification from us within the next few days along with your new card.

HOLY CRAP! I say. You mean I am part of the compromise that was reported on April 01, 2007 and I am just NOW being notified? What the hell?
I am sorry sir. As I said we were just notified on the 9th and at a cost of millions of $$$ (BOO HOO!) to our company, we are notifying all of our cardholders and sending them new cards. If you would like additional information, you should contact MasterCard 24x7 at 800-826-2181.

type. type. type.

6:33PM 800-826-2181 option 1 (for English)
Option 3 (other services) Card # entry. (1 for correct).
Option 6 (all other calls) transferred to a representative:
Lonny (wouldn't give me operator #).
MC Intl knows nothing about your card, your account, and has nothing to do with any transaction information. Citibank must be trying to shed a little bit of the responsibility. We are not a credit card issuer. We are not a financial information.

I don't understand why a "senior Manger" from CitiBank would tell me to call the number provided for MasterCard if I wanted to know why it took MasterCard 4 months to inform me my card had been compromised.
He offered to let me talk to a supervisor, Celia, MC Assistance center.

6:45PM Hi this is Celia, manager on duty this evening. We can only tell you to monitor your account. We made all of our notifications to all the banks in April 2007. It was CitiBank that took until now to notify you. There has not been another breech. We sent it out right when it happened. The should have notified you immediately.

We talk a little more. She sounded pretty honest and pretty sincere (not like the jerks at CitiBank who were all stressed). Out of everyone I have talked to tonight, I have to say I believe her the most.

So, for everyone out there who has a CitiBank credit card that has ever been used at any of the TJMaxx stores, your card has probably been compromised and they are just finally getting around to letting you know now. 4 months later. Hell of a job!

What REALLY pisses me off is that I contacted all of my card companies back in April to ask if my cards had been compromised and every one of them, yes EVEN CITIBANK, said no, they had not. No I didn't document it. Didn't think I needed to. You are supposed to be able to trust your credit card company, right?

I think I will be canceling all of my CitiCards tomorrow morning.

The original TJX Hacked /. article: http://it.slashdot.org/article.pl?sid=07/03/29/1618239