I can only think of three scenarios which would result in this breach (but I could just be lacking imagination):
1.) This app has been sitting around in production and was never tested.
2.) This app was part of the normal testing procedures (which usually means it's tested annually) and somehow this vulnerability was missed in every test.
3.) This vulnerability was not present the last time the application was tested, and somehow this version was deployed before it was signed off on.
I've been around too long in this industry to claim that scenario 1 or 2 are impossible, but knowing the particulars, they seem exceedingly unlikely.
That leaves me to think it was the third scenario, which is still abberant behavior on their part.
I feel bad when I hear about situations like this. As you mentioned in another comment, this is pretty much what we fear the most.
I don't know Citi at all, but at our fisrv customers I think (2) is more likely than (3) (neither is a mortal lock). I also think that this is a hazard of working with high-volume Big-4 type firms... but I want to tread lightly with that thought for obvious reasons.
No no, I absolutely agree with you (about the hazard). I worry about any company that puts all it's app test eggs into one large contract with a big firm (a statement which I'm sure would make one of my salespeople cringe). I find that the places who use a combination of multiple app testing companies in combination with their internal teams seem to fare much better.
For this specific vulnerability, I find it shocking that even the most rudimentary assessment wouldn't have caught it; but my own personal befuddlement might be biasing me against thinking that (2) is likely.
1.) This app has been sitting around in production and was never tested.
2.) This app was part of the normal testing procedures (which usually means it's tested annually) and somehow this vulnerability was missed in every test.
3.) This vulnerability was not present the last time the application was tested, and somehow this version was deployed before it was signed off on.
I've been around too long in this industry to claim that scenario 1 or 2 are impossible, but knowing the particulars, they seem exceedingly unlikely.
That leaves me to think it was the third scenario, which is still abberant behavior on their part.
I feel bad when I hear about situations like this. As you mentioned in another comment, this is pretty much what we fear the most.