Three people have been brought to face a New York court, being accused of using data taken from a server to steal USD 2 million from Citi customer’s accounts.

Citibank officials monitoring their network on May 8 noticed suspicious ATM transactions at five cash machines located in the vestibule of a Citibank branch at 55th street and Madison Avenue in New York. This happened three months after Citibank notified the FBI that a hacker managed to steal customer-account numbers and PIN codes from a server that processes transactions from Citi-branded ATMs at 7-Eleven convenience stores. In late February and early March, the FBI and the US Secret Service arrested two Ukrainian immigrants and two alleged accomplices for allegedly using the stolen PINs to steal USD 2 million in cash from unsuspecting Citibank customers. Citi says it alerted its cardholders in early 2008 about the breach and reissued cards when necessary.

However, the arrests did not stop the fraud, which spread from a computer intrusion into bank system intrusion. The pair are alleged to be part of a worldwide crime syndicate that has made 9,000 fraudulent ATM withdrawals, accounting to court documents. The money was stolen from ATMs in the New York area. The defendants are alleged to have received card information over the internet from the hackers who broke into the processing system. The FBI has recently made at least six more arrests in New York thanks to information from arrested scam suspects and an undercover operation.  

Citi does not own the approximately 5,700 7-Eleven ATMs which carry its branding. A part of the ATMs are owned by Cardtronics and another part by Fiserv. Both companies declined to say whose system might have suffered the breach.  According to Trace Security, Citibank customers’ funds were hacked via the connection between ATMs and third parties processing their PIN codes.