Does your bank have an Incident Response Policy with precise guidelines outlining notification to customers of potential security breaches? GLBA requires specific information to be provided to your customers, including certain phone numbers and web sites for information on identity theft (see GLBA or your policy for details). I would err on the side of caution and assume the worst - notify your customers immediately, flag the accounts and retrain EVERY employee on safeguarding the accounts as best you can. You may also want to study the costs of providing these 100 accounts some type of monitoring for a year or so.
_________________________
"Gratitude makes sense of our past, brings peace for today, and creates a vision for tomorrow." - Melody Beattie