Citigroup said computer hackers breached the bank's network and accessed the data of about 200,000 bank card holders in North America, the latest of a string of cyber attacks on high-profile companies.
Citi said the names of customers, account numbers and contact information, including email addresses, were viewed in the breach, which the Financial Times said was discovered by the bank in early May.
However, Citi said other information such as birth dates, social security numbers, card expiration dates and card security codes (CVV) were not compromised.
"We are contacting customers whose information was impacted. Citi has implemented enhanced procedures to prevent a recurrence of this type of event," Sean Kevelighan, a US-based spokesman, said by email.
"For the security of these customers, we are not disclosing further details."
In the brief email statement, Citi did not say how the breach had occurred.
Another Citi spokesman, James Griffiths in Hong Kong, said the breach had affected 1 percent of North American card customers, which the bank's annual report says total 21 million.
But like Japanese electronics and entertainment group Sony, which has declared several security breaches of its networks this year, Citi could come under fire for not telling customers sooner.
"It may be the bank's business, but it's the consumer's personal information so consumers deserve to be told about security breaches immediately," said Dan Simpson, a spokesman for Australia's Consumer Action Law Centre, an advocacy group.
"It's hard to see any reason why this sort of breach couldn't have been disclosed much sooner."
Citigroup joins a growing list of companies that have suffered cyber attacks.
Data storage firm EMC Ltd this week offered to replace millions of electronic keys after hackers used data from its RSA security division to break into the network of arms supplier and information technology provider Lockheed Martin.
Sony has reported several attacks, including one in which hackers accessed the personal information on 77 million PlayStation Network and Qriocity accounts.
Sony was criticised for a delay in telling account holders that their information had been stolen by hackers.
Google last week revealed a major attack on its Gmail accounts targeting, among others, senior US government officials that it said appeared to originate in China.
Washington has scrambled to assess if security had been compromised by the raid on Google's Gmail system, reflecting increasing concerns among global policymakers about cyber security.
Citi said it had discovered the unauthorized access at Citi Account Online, an online banking service, through routine monitoring.
"It's definitely a serious security breach when that amount of data's been stolen from a bank," said Sydney-based Ty Miller, chief technology officer of Pure Hacking, a network security company.
Citigroup global enterprise payments head Paul Galant, who previously ran the bank's credit card unit, said in April that security breaches are a fact of life for financial institutions.
"Security breaches happen, they're going to continue to happen ... the mission of the banking industry is to keep the customer base safe and customers feeling secure about their financial transactions and payments," he told Reuters in an interview.
(Additional reporting by Abhishek Takle and Renju Jose in Bangalore and Sonali Paul in Melbourne; Editing by Vinu Pilakkott and Neil Fullick)