"Last year, Citibank and a small number of our customers were the victims of a third-party business' information breach," the company said. "We immediately began enhanced monitoring of the affected accounts for fraud, and in mid-February, we detected several hundred fraudulent cash withdrawals in three countries. To protect our customers' accounts, we blocked PIN-based transactions in those locations for the customers affected by the breach."
Citibank did not name the third-party business, although a story in the New York Times on Wednesday – citing unidentified sources – said the debit card information was obtained during a breach at OfficeMax Inc.
Several media outlets reported Russia, Canada and the U.K. as where the fraudulent transactions occurred.
News that some Citibank customers were locked out of their accounts was broken Sunday on the media/technology/pop culture Boing Boing website.
The site reported that a friend and Citibank customer tried to withdraw cash in Canada - but was met with a denial.
"To my surprise, the ATM machine rejected the transaction and urged me to contact my financial institution," the customer recalled.
Citibank said it is contacting affected customers and issuing them new cards.
"We regret any inconvenience this has caused," the company said. "Protecting our customers' accounts and personal information is one of our highest priorities."
A company spokesman declined to further comment on the fraudulent withdrawals.