Citing an anonymous source, The Wall Street Journal reported ($) on its website Monday that Citigroup Inc., spent a maximum of three weeks waiting to inform its credit card account holders of a security breach.
The Journal reported that its source was "a person familiar with the situation" and didn't provide further details about the source or why anonymity was granted.
The source attributed the delay to the bank's internal investigation, which required between 10 and 12 days, and the week it took to notify all affected customers and to send out most of the replacement credit cards that had to be produced, the Journal reported.
Citigroup announced Thursday that hackers stole account numbers, email addresses and names of 200,000 credit card customers. The Journal reported the attack happened in early May and noted that the number of account holders affected represented 1 percent of the bank's credit card customers in North America.
The bank didn't start notifying customers about the attack or sending them new cards until June 3, six days before news of the attack became public, the Journal reported.
The bank said the information that was breached wasn't enough to allow criminals to make charges on customers' accounts; however, The Associated Press reported Friday that the theft could lead to so-called "phishing" attacks, which are usually emails identity thieves send to customers that appear to be from the bank asking for more account information.