the audit

About That Journal Citi Story

December 23, 2009

Yesterday, I praised The Wall Street Journal for its fortitude in running a story saying hackers had stolen tens of millions of dollars from Citigroup in the face of a flat Citi denial.

I assume good faith on the part of the paper in handling sensitive stories like this, and let’s face it, if I’m going to believe somebody’s word without my own evidence, it’s going to be the WSJ‘s over Citigroup. Getting a story like that wrong is the kind of thing that will get a paper sued big time, so I wrote that this story must have been “one of the most heavily ‘lawyered’ WSJ stories in a good while.

Well, we’ll see.

ABC News reports, somewhat confusingly, that:

Government sources could not confirm to ABC News whether reports about Citigroup are entirely true but instead said “the truth here is somewhere in the middle.”

So, the truth is in the middle but they can’t confirm whether the reports are “entirely true”? How does that work?

Sign up for CJR's daily email

PC World on the other hand, has a source “within federal law enforcement,” as well as a bank-fraud investigator (no word if that’s an investigator for the banks or for someone else) saying the WSJ story is just wrong:

A source within federal law enforcement who declined to be identified said the Wall Street Journal story was inaccurate and appears to have confused a known 2007 hack of Citigroup-branded automated teller machines with a long-running criminal effort to hack online banking customers and move money out of their accounts.

“They’ve screwed up so many different things,” he said. The FBI had no comment.

A second banking fraud investigator, who also asked not to be identified because of his ongoing investigations, agreed with this assessment. The long-running effort to hack online banking by installing password-stealing Trojan horse programs known as Zeus and Clampi has affected many banks, but it has compromised customers’ PCs and not the banks themselves, he said.

It’s worth noting that the Journal quoted multiple government officials for its story, and whomever ABC and PC World are talking to may not have the same information. But their stories, in combination with the strenuous Citi denial, raise questions about the Journal‘s piece.

In response to a request for comment, reporter Siobhan Gorman said, “We’re in the process of clarifying with sources.”

One point of concern is that the hacks may have been just run-of-the-mill ones involving stealing customers’ passwords. That would be far less serious than the implication of the story, especially in the headline, that Citigroup’s system itself was breached, although the WSJ said in the second paragraph that:

It couldn’t be learned whether the thieves gained access to Citibank’s systems directly or through third parties.

But a few paragraphs down, it writes (emphasis mine):

Security officials worry that, beyond stealing money, hackers could try to manipulate or destroy data, wreaking havoc on the banking system. When intruders get into one bank, officials say, they may be able to blaze a trail into others.

That can’t happen through stealing customers’ passwords.

We’ll keep an eye on this one.

Ryan Chittum is a former Wall Street Journal reporter, and deputy editor of The Audit, CJR’s business section. If you see notable business journalism, give him a heads-up at rc2538@columbia.edu. Follow him on Twitter at @ryanchittum.