Citigroup Inc. waited as long as three weeks to notify credit-card customers of a hacking attack because it was conducting an investigation and producing replacement cards, according to a person familiar with the situation.
The internal investigation took 10 to 12 days and began within 24 hours of the discovery by Citigroup officials in early May that the New York bank's systems had been breached, this person said. In some cases, Citigroup took action to protect accounts considered vulnerable to fraud.
Citigroup publicly disclosed the security attack last Thursday, saying it affected about 200,000 customers, or 1% of the company's card users in North America. The company said it had referred the matter to law-enforcement authorities and planned to send replacement cards to a majority of the affected customers.
Some critics have accused Citigroup officials of dragging their feet in notifying customers that some of their data has been compromised. The Senate banking committee is planning hearings on data security. The breach follows other attacks that are fueling concerns among financial regulators and security experts that banks and other companies aren't doing enough to protect themselves and their customers.
"Every minute that passes after a hacker gains access to customers' confidential information means a greater risk of both monetary and identity theft," said Mandeep Khera, an official at Cenzic Inc., an online-security firm in Santa Clara, Calif. Mr. Khera said Citigroup had "done a disservice" to customers because of the delay.
Other recent targets of similar attacks include Sony Corp. and Lockheed Martin Corp. Security experts say financial institutions are a top target. On Saturday, the International Monetary Fund said it had been hit by "a cybersecurity incident."
The person familiar with Citigroup's response to the security breach said company officials responded to discovery of the attack immediately. In late May, the company launched a week-long process for a mailing to notify the roughly 200,000 customers of the breach and provide replacement cards to most of them. Customer notification and shipment of new cards began June 3, or six days before Citigroup publicly disclosed the hack attack.
Citigroup said the hackers obtained access to data such as names, account numbers and email addresses. The breach didn't compromise Social Security numbers, dates of birth, card security codes or expiration dates. Bank officials have said the data that was disclosed wasn't enough to perpetrate fraud.
Before the official customer notification, Citigroup moved to protect certain customers by sending out an internal fraud alert on all those customers deemed at risk, the person familiar with the matter said.
Some experts suggested that Citigroup's response was reasonable. By discovering and investigating the breach itself, Citigroup was able to "allay" customer fears about data that wasn't compromised, said Joe Gottlieb, chief executive of SenSage Inc., a Redwood City, Calif., firm that develops software to reduce fraud and compliance risks.