Citigroup has released some additional information about the recent attack on its online credit card account management system, but the update sounds a defensive note and leaves many questions unanswered.
In a letter to customers posted on its website, Citi said it took "immediate action to rectify the situation," discovered May 10 during routine monitoring activities. Internal fraud alerts and enhanced monitoring were placed on accounts deemed at risk, and a "rigorous analysis" was started to determine which accounts and types of information had been compromised, the company said.
"The majority of accounts impacted were identified within seven days of discovery. By May 24, we confirmed the full extent of information accessed on 360,069 accounts. An additional 14 accounts were confirmed subsequently. To determine the cardholder impact required analysis of millions of pieces of data," the letter explained.
Of the 360,083 credit card accounts that were affected, 217,657 were reissued new cards along with a notification letter. Accounts weren't re-issued new cards if they'd been closed or already received a new card as a result of other activities. All the accounts are still subject to "heightened monitoring for suspicious activity," the company said.
The final number of affected accounts was significantly higher than news reports' initial estimates of 210,000 accounts.
The company still hasn't explained why no immediate disclosure was made of such a massive security breach, affecting 1 percent of North America Citi-branded credit card accounts, or why customers weren't told their names, account numbers and email addresses had been viewed by hackers.
Social Security numbers, birth dates, card expiration dates and card security codes (CVV) weren't compromised, according to the company, which added that customers aren't liable for any fraud on these accounts.
Citigroup also hasn't explained when the attack occurred, how the system was hacked, why the security was inadequate or how many accounts were victims of fraudulent charges. Whether those and other questions will ever be answered remains to been seen.
Follow me on Twitter: @marciegeff