The breach, which occurred in early May at Citi Account Online, was found by the US bank through routine monitoring.
According to the bank, about 1% of its card customers were affected by the breach, with their names, account numbers and email addresses compromised.
However, the New York-headquartered bank claims that other details such as birth dates, social security numbers, card expiration date and card security code were not compromised.
Citigroup said it had informed law-enforcement officials and tightened fraud-detection procedures; it declined to provide further details, the Economic Times newspaper reported.
Citigroup joins a growing list of companies that have suffered cyber attacks. Recently, electronics giant Sony, Google, Lockheed Martin, and PBS have reported similar security system breach.