The attack on financial conglomerate Citigroup's IT systems compromised nearly twice as many user accounts as was first thought, and over 360,000 customers are now thought to have been affected.
The company revealed in a statement on Wednesday that 360,083 of its North American Citi accounts were hit, a far greater number than the one per cent of its US customers, or around 210,000 accounts, initially stated.
Citigroup's annual report puts the bank's total number of customers at 21 million. Reports suggest that the disparity in the figures is due to the group having added more accounts since its annual report, as well as variations such as some customers having more than one account.
In the statement, Citigroup revealed that it first discovered the hack on 10 May. However, while name, account number and contact information, including email address, were exposed, "data that is critical to commit fraud", such as social security number, date of birth and card expiration date, was not.
"Upon discovery, internal fraud alerts and enhanced monitoring were placed on all accounts deemed at risk," the bank said.
"Simultaneously, rigorous analysis began to determine the precise accounts and type of information accessed. The majority of accounts impacted were identified within seven days of discovery."
However, the detailed explanation of Citigroup's internal processes will do little to quell criticism of its response to the breach, as the company took a full 24 days to notify its customers.
"Citi has implemented enhanced procedures to prevent a recurrence of this type of event. We have also notified law enforcement and government officials," Citibank added.
"For the security of our customers, and because of the ongoing law enforcement investigation, we cannot disclose further details regarding how the data breach occurred."
Citigroup is just the latest in a long list of high-profile organisations which have had the strength of their information security systems called into question by recent hacks, including Sony, Nintendo, Acer and the IMF among many others.
Use the same password for every website? It might be time to change them all
Applicants for parking bay suspensions put at risk of credit card fraud by Islington Council
Robert Swan appointed interim CEO after Brian Krzanich's departure
Should you link your data sets to add value, or leave them separate to reduce risk?