Citigroup said that around 3,400 customers whose credit card information was hacked in a data breach that affected 360,000 actually had money taken from their accounts, the newspaper said, citing people familiar with the matter.
In announcing the original data breach, Citigroup said that customer names, account numbers, and contact information were accessed by hackers, but that information needed to commit fraud, such as social security numbers, dates of birth, card expiration dates, and card security codes, was not compromised. Apparently, the hackers were able to obtain money directly from the customer accounts and did not need the additional information.
In response to the breach, Citigroup reissued cards to 217,657 customers, but clients were not reissued cards if the account was closed or had already received a new card as a result of other card replacement practices.
The highest number of Citi credit card customers affected by state were California (80,454), Texas (44,134), and Illinois (30,054).
Citigroup found out about the data breach on May 10 but did not begin sending out notification letters until June 3. In a Senate hearing earlier this month, Sen. Robert Menendez (D-N.J.) criticized Citigroup for the delay in notification.
Menendez said that his chief of staff had his Citi credit card account compromised, but only found out when he tried to use the card and it was declined. He called Citigroup and found out his account had been hacked, according to a report on the hearing by IDG News.