Citigroup said more credit card accounts were hacked into than originally reported.
NEW YORK (CNNMoney) -- Citigroup has released more details on last month's hack attack, revealing that far more credit card accounts were accessed than originally reported, and took more than three weeks to notify customers.
Citigroup (C, Fortune 500) said that it discovered, on May 10, that 360,083 credit card accounts had been hacked into.
This is a significant increase from the number that Citigroup had reported on June 13, when it said that "roughly 1%" of its 21 million credit card accounts had been hacked, which would have been 210,000 accounts.
"Only accounts in the U.S. were impacted," said Citigroup, noting that new credit cards were re-issued to 217,657 of the hacked accounts, along with a notification letter.
"Some accounts were not re-issued credit cards if the account is closed or has already received new credit cards as a result of other card replacement practices," said Citigroup. "These accounts continue to receive heightened monitoring for suspicious activity."
Citigroup said it waited until June 3, more than three weeks after the discovery, to start sending out notification letters, "the majority of which included reissued credit cards."
"Citi has implemented enhanced procedures to prevent a recurrence of this type of event," the company said. "We have also notified law enforcement and government officials. For the security of our customers, and because of the ongoing law enforcement investigation, we cannot disclose further details regarding how the data breach occurred."
Citigroup provided a state-by-state breakdown of the hacker victims. The state with the most hacked accounts -- some 80,454 -- was California, the most populous state in the union.
There have been other high-profile security breaches in recent months. Sony (SNE) was subjected to major hacks in April and May, affecting several of its gaming systems and potentially compromising tens of millions of credit card numbers.
In a separate case, hackers used SecurIDs -- the tokens used by office workers to access corporate systems -- to launch cyber attacks against Lockheed Martin (LMT, Fortune 500). The maker of the tokens, RSA Security, a division of EMC Corp (EMC, Fortune 500)., offered to replace or monitor all SecurIDs.
Bank of America (BAC, Fortune 500) employees and some clients use the tokens. The banks said they will be replaced.