NEW YORK (Reuters) - The U.S. Federal Bureau of Investigation is probing a computer hacking that targeted Citigroup Inc and resulted in the theft of tens of million of dollars, The Wall Street Journal said, citing unidentified U.S. government officials.
Citigroup disputed the report, saying its customers had not lost money.
“There has been no breach and there have been no associated losses,” the bank said in a statement.
“Occasionally, as with virtually all financial institutions, there are instances of fraud of breaches of third-party systems that result in our taking actions to protect our customers and Citi,” the bank added.
The cyber attack, believed to be linked to a Russian gang, was aimed at Citigroup’s Citibank subsidiary, the paper said, adding that the hackers may have gained access to the bank’s systems through third parties.
Two other entities, including a U.S. government agency, were also attacked by hackers, the paper said, citing people familiar with the Citibank incident.
FBI spokesman Richard Kolko declined comment, saying it is agency policy to neither confirm nor deny whether investigations are in progress.
The attack on Citibank is believed to have taken place over the summer and was detected at that time, but investigators suspect it could have taken place up to a year earlier, the paper said.
“Most financial institutions of this magnitude are working extremely hard to avoid this kind of thing and be out ahead of it,” said Scott Vernick, a lawyer at Fox Rothschild LLP whose practice includes electronic data securities matters.
“The problem is the criminals are working even harder,” Vernick added.
The Wall Street Journal mentioned a Citibank customer who saw more than $1 million removed from his account and sent to banks in Latvia and Ukraine. The bank helped him recover most of the money and reimbursed him for the rest, the newspaper reported, adding that it was not clear whether the incident was part of the larger attack on Citigroup.
In a statement, the bank said it was an isolated case of fraud.
Citigroup also said that attacks are directed against companies globally, and while there had been attempts to interfere with the bank’s systems, none had been successful.
But Fred Cate, director of the Center for Applied Cybersecurity Research at Indiana University, said, “I don’t want to sound alarmist ... but the evidence is just overwhelming today that attacks are successful in many instances, particularly socially engineered attacks.”
(Reporting by Dan Wilchins in New York; additional reporting by Jim Finkle in Boston, Jeremy Pelofsky and Dan Margolies in Washington and Ajay Kamalakaran in Bangalore; editing by Valerie Lee, John Wallace and Tim Dobbyn)