In a statement, Citigroup said the breach by computer hackers was discovered May 10. A bank investigation and containment of the data theft was begun immediately, the bank said, The New York Times reported Thursday.
By May 24, Citigroup concluded 360,000 credit card accounts had been comprised.
The bank, however, said Social Security numbers, security codes provided for each credit card and expiration dates for the accounts were not stolen, making it hard for the thieves to make use of the names, account numbers and e-mail addresses that were stolen.
The bank said it began notifying customers of the breach June 3 and made the news public June 9.
Several state and federal agencies are looking into the breach, including the Secret Service and the FBI, the Times said.