US banking giant Citigroup is replacing all customer debit cards that were hit by a massive data breach at the third-largest US retailer Target, according to media reports.

Citi is the second major bank in the US to do so after the security breach was discovered in December.

The bank did not replace the debit cards sooner because it wanted to minimise disruptions during the holiday shopping season, the New York Times reported citing a person briefed on the bank's decision.

"This is being done as a precautionary measure," Citi spokeswoman Elizabeth Fogarty told Reuters in an email. However, she declined to provide details on the number of debit cards being reissued.

Citi said it will begin sending out new debit cards soon, but it will not reissue credit cards.

Earlier, JPMorgan Chase took a similar step just a few days after the data breach was discovered. The bank replaced two million of its 23 million debit cards. JPMorgan is also not replacing its credit cards, which have added security layers.

Bank of America, Wells Fargo and US Bank said they are carefully watching cards for any fraud, but they are yet to reissue debit or credit cards.

Data Breach

Target discovered a major security breach in December 2013. Payment data from about 40 million credit and debit cards were stolen from Christmas shoppers at its stores over 19 days between 27 November and 15 December.

It has since been revealed that a further 70 million customer records with sensitive information such as names, telephone numbers and email addresses were also stolen.

The two sets of numbers could have contained some overlap, according to a company spokeswoman.

Target has confirmed that cybercriminals used malware installed on Target's point-of-sale (PoS) cash register systems to siphon off the data.

In an open letter published in several US newspapers, Target's CEO Gregg Steinhafel has apologised for the data breach and vowed to cover all fraudulent charges arising from the breach.