The exact number of customers affected was not far off the mark. In a statement posted late Wednesday on its website, the company said 217,657 people were sent new cards along with notification letters starting June 3.
Hackers gained access to a total of 360,083 accounts but because many of the accounts were duplicates or already closed, they weren't affected and did not need to be sent replacement cards, Citi said.
The bank said it discovered on May 10 that hackers used its Account Online system to access the data for North America Citi-branded credit cards issued in the U.S.
The bank said last week that hackers accessed customer names, account numbers and contact information, including e-mail addresses.
But they weren't able to get their hands on social security numbers, dates of birth, card expiration dates or card security codes, information that can be useful in identity theft.
Internal fraud alerts and enhanced monitoring were placed on all accounts deemed at risk as soon as the breach was discovered, Citi said.
Citi said it has notified police and government officials.
"For the security of our customers, and because of the ongoing law enforcement investigation, we cannot disclose further details regarding how the data breach occurred," it said.
Citi reassured customers that they weren't liable for any unauthorized use of their cards and urged them to review account statements to report any suspicious transactions.
It's the latest in a series of high-profile data attacks against big companies and institutions. The International Monetary Fund said Sunday that it was investigating an attack on its computer system.
Google Inc. said earlier this month that Gmail accounts of several hundred people had been breached. In April, Sony Corp.'s Playstation Network was the victim of a massive security breach that affected more than 100 million online accounts.