Citigroup has announced that personal information belonging to some of its credit card customers had been compromised by hackers. In total, about 1 percent of Citi's 21 million customers had their data taken.

The system breached was Citi Account Online, which contains names, addresses, account numbers, and similar information. Citi claimed that more sensitive data—such as dates of birth, social security numbers, and the CVV card security codes—was held elsewhere, and has not been compromised.

Citi also says that only credit card customers were affected; however, the Financial Times, which first reported the story, said that it had been contacted by debit card customers whose cards had been compromised.

The company said that the hacking was detected in early May by routine account monitoring, but offered no information on how the information was taken or by whom it might have been taken. Nor did Citi state whether the information had been used to perform fraudulent transactions.

Citi says that it is in the process of contacting customers about the problem. The FT reports that some cardholders discovered the issue when trying to make purchases, only to find the transactions refused and their cards blocked. Industry guidelines require the bank to inform its regulator of data breaches as soon as they are detected, but do not require it to inform customers if it is believed that doing so would jeopardize law enforcement investigations.

Though theft of credit card data is not unusual, taking it directly from a bank is rare. More often, hackers go after retailers, who have to physically handle cards and often store card details in their customer databases, or card-holders directly, using keyboard loggers embedded into malware.

Bank systems are assumed to be more robust and better-protected against attacks. This data breach shows that that confidence may be misplaced.