People make transactions through Citibank ATMs.
People make transactions through Citibank ATMs. - 
Listen To The Story

BOB MOON: Don't bother stopping me if this sounds familiar: Hackers have breached online security at -- insert big corporation's name here. This time, the names, account numbers and email addresses of hundreds of thousands of Citibank credit card customers were compromised in early May. So why are we just hearing about it now -- and only after a newspaper started asking questions?

We put that question to Marketplace's Amy Scott.

AMY SCOTT: Citigroup isn't the only company to delay notifying its customers of a security breach. When hackers stole personal data from millions of Sony Playstation accounts, Sony waited five days to tell account holders. That set off a torrent of online outrage.

But there are reasons companies don't rush to sound the alarm. Rik Ferguson is director of security research at Trend Micro. He it takes time to figure out exactly which information was stolen and who was affected.

RIK FERGUSON: It's more helpful to minimize the disruption to your affected customers and to eliminate any concern or disruption of your unaffected customers and you can only really do that as a result of a thorough investigation. And unfortunately that does take time.

If you're a Citi customer, the bank says it's in the process of contacting those affected. One reassuring note -- no social security numbers, card expiration dates, or those three-digit security codes on the back of the card were stolen.

I'm Amy Scott for Marketplace.

Follow Amy Scott at @amyreports