The data breach tracking site Privacy Rights Clearing House, chronicles data breaches logged within their 535,363,707 database records. Consider the template press releases in the recent back-to-back Citibank breaches:
On June 13th Citigroup issues its official statement announcing the account exposure of 1% of its 21 Million credit-card customers sometime in May. Within two days, the numbers grow from 210,000 to 360,000 during an initial inquiry by the Connecticut Attorney General George.
As of June 24th at least 3,400 of the compromised cards show a combined loss of $2,700,000. Interestingly, according to Citigroup’s initial public statement, “data that is critical to commit fraud was not compromised: the customers' social security number, date of birth, card expiration date and card security code (CVV)."
Following the breach, on August 8th, Eweek Europe reports:
“Eight weeks after a hacker cracked Citigroup’s credit card database, the company’s credit card unit in Japan, Citi Card, reported in a message to its user base on 5 August that 'certain personal information of about 92,400 customers has allegedly been obtained and sold to a third party illegally”.
Not to worry says Citigroup in its initial statement dated August 5th, just as reported in their prior breach, the personal identification numbers and security codes (CVV, or Card Verification Value, data) necessary to commit fraud were not revealed in the breach.