The hackers who breached Citi's systems last month reputedly used the stolen data to loot around $2.7 million from the accounts of 3400 customers.
On 10 May crooks compromised details - including names, account numbers and e-mail addresses - belonging to around 360,000 North American credit card customers.
However, in a letter to customers earlier this month, Citi insisted that "data that is critical to commit fraud was not compromised: the customers' social security number, date of birth, card expiration date and card security code (CVV)".
Despite this, it has now told government officials that the accounts of 3400 customers have suffered around $2.7 million in total losses, according to the Wall Street Journal, citing sources that speculate the information could have been used in conjunction with other stolen data to get at clients' money.
The bank has already assured customers they are not liable for any losses and begun reissuing over 200,000 cards.
Citi has yet to reveal how the breach occurred but the New York Times says the hackers allegedly broke in via its public Web site, focussing on a simple vulnerability in the browser address bar.