JPMorgan Chase is warning 465,000 holders of pre-paid cash cards issued by the US bank that their personal data may have been hacked.
The bank's network was attacked in July, and it was detected in September that servers had been breached.
JP Morgan said it found no evidence that money was taken from accounts.
However, a "small amount" of data was taken, but nothing critical such as social security numbers, birth dates and email addresses, the bank said.
The pre-paid cards were issued for corporations to pay employees and for government agencies to issue tax refunds, unemployment compensation and other benefits.
The almost half-a-million customers were being contacted because JPMorgan said it could not be sure which accounts had been breached.
The warning only affects the bank's UCard users, not holders of debit cards, credit cards or pre-paid Liquid cards.
Officials from the states of Louisiana and Connecticut said the bank notified them this week that personal information of some of their citizens may have been exposed.
Louisiana citizens included about 6,000 people who received cards with state income tax refunds, plus 5,300 receiving child support payments and 2,200 receiving unemployment benefits, according to a statement from state Commissioner of Administration Kristy Nichols.
The bank said it didn't know who was behind the attack, although agencies including the FBI were investigating the matter.