Citigroup has confirmed only US-issued Citi credit card accounts were affected by a breach of Citigroup Bank data by hackers in May, but has revised upwards the number of accounts involved.
Initial estimates put the number of accounts affected by the data breach at around 210,000. Now Citigroup says just over 360,000 accounts were affected, requiring 217,657 cards to be replaced.
Some accounts were not re-issued credit cards if the account was closed or had already received new credit cards as a result of other card replacement practices, Citigroup said in a statement.
Citigroup confirmed the breach was discovered on 10 May, but said the cyber attack affected only Citi Cards' Account Online system, and had been rectified immediately. Neither the main cards processing system, nor any other Citi consumer banking online systems, were accessed or compromised, the Citigroup Bank said.
Citigroup Bank investigators found hackers had accessed customer details, including name, account number and contact information. The bank says data critical to commit fraud, such as the card security code, was not compromised.
As of May 24, Citigroup Bank began preparing to replace cardholder accounts and notification letters. The letters were sent out from 3 June 2011, ahead of the public notification on 9 June.
Citigroup said it implemented enhanced procedures to prevent similar incidents from happening. Citigroup Bank notified law enforcement and government officials.
Citigroup said customers would not be held liable for fraudulent charges and could take advantage of free identity theft protection assistance, if required.
Citing continuing law enforcement investigation, Citigroup provided no additional details about how its system was infiltrated.
US authorities have demanded that Citigroup hand over details of its security and provide evidence it will be able to prevent further breaches.
US law enforcement officials are worried other financial websites could be vulnerable to similar cyber attacks.
The breach is being probed by the US Secret Service as part of its mission to protect US currency. The US Department of Homeland Security is considering whether to notify other institutions about how the attackers gained access to Citigroup's systems.