The investigation found a “known technical vulnerability” in the bank’s Account Online web-based service, Connecticut Attorney General George Jepsen said in a statement today announcing the settlement.
“This vulnerability was known to the company at the time of the breach and may have existed since 2008,” he said.
New York-based Citigroup will obtain a third-party data security audit, the state said. The investigation was conducted by Connecticut and California Attorney General Kamala Harris.
The bank will also pay $55,000.
Customer data that is “critical to commit identity theft” was not accessed, said Emily Collins, a spokeswoman for the bank.
“Citi has and will continue to comply with all applicable information security laws and customer notification requirements,” Collins said.
To contact the editor responsible for this story: Andrew Dunn at firstname.lastname@example.org