Citigroup Inc. has told government officials that about 3,400 of the customers whose credit-card information was improperly obtained by hackers have suffered about $2.7 million in losses, according to people familiar with the matter.
The disclosure is the first acknowledgement by the New York company that the May security breach resulted in any losses. Citigroup has previously indicated it would cover any losses, saying customers wouldn't be liable for unauthorized use of their accounts in connection with the attack.
The accounts where losses occurred amount to less than 1% of the cards affected by the breach and 0.01% of Citigroup's outstanding credit cards in North America.
Citigroup announced the data breach on June 9 and said six days later that "data that is critical to commit fraud was not compromised," including Social Security numbers, birthdates and card expiration dates and security codes.
But the hackers did obtain card numbers, account names and emails that could have been used with resources that were improperly obtained through other means to cause losses, one person familiar with the breach said.
Last week, Citigroup said 360,069 accounts were hacked, or 1.5% of its 23.5 million North American credit-card accounts.
Citigroup disclosed the losses when briefing government officials this week about the breach. The bank has said it instituted fraud monitoring on the accounts, and replaced 217,657 cards for customers whose accounts were still active and who hadn't received new cards for other reasons.
The breach was discovered May 10. On May 24, Citigroup began developing notification packages and producing replacement cards, which were sent out starting on June 3. The reported losses would amount to $794 per customer.
The size of the losses is a small fraction of recent annual totals of $48 billion in identity fraud losses and 9.9 million customer victims, according to data on CreditCards.com.