Digital Identity Blog

Thought leadership for cybersecurity, fraud and digital channel professionals

465,000 JP Morgan Chase Card Users as Blue as the Bank’s Logo since Hack Exposed Personal Information

By ThreatMetrix
ThreatMetrix®, The Digital Identity Company®, is the market-leading cloud solution for authenticating digital personas and transactions on the Internet. Verifying more than 20 billion annual transactions supporting 30,000 websites and 4,000 customers globally through the ThreatMetrix Digital Identity Network®, ThreatMetrix secures businesses and end users against account takeover, payment fraud and fraudulent account registrations resulting from malware and data breaches.
Follow ThreatMetrix ThreatMetrix's Most Recent Posts:

You have to wonder if Jaime Dimon, JP Morgan Chase’s CEO, gets a discount on aspirin… or possibly earplugs. Under his watch, the company lost $5.8 billion as a result of trading by the London whale (plus $920 million in fines because it withheld information from its audit committee about “Moby Dick.” And yes, an additional $100 million fine had to be paid to the Commodity Futures Trading Committee over the same incident. Add ‘em together and it comes to a cool $1 billion). And, just this past November, the US Justice Department announced that JP Morgan Chase agreed to pay $13 billion to settle investigations into its business practices pertaining to mortgage-backed securities, which is the biggest fine ever levied.

Considering what JP Morgan Chase has been involved in, maybe nobody bothered to even inform Jamie. After all, a breach that exposed some 465,000 customers is relatively small potatoes. Okay, not to the people who may have had their information compromised. Anyway, in a Reuter’s story, David Henry and Jim Finkle provided a detailed account of the cyberattack and its aftermath.

JPMorgan Chase & Co is warning some 465,000 holders of prepaid cash cards issued by the bank that their personal information may have been accessed by hackers who attacked its network in July. The cards were issued for corporations to pay employees and for government agencies to issue tax refunds, unemployment compensation and other benefits.

JPMorgan said on Wednesday it had detected that the web servers used by its site had been breached in the middle of September. It then fixed the issue and reported it to law enforcement.

Bank spokesman Michael Fusco said that since the breach was discovered, the bank has been trying to find out exactly which accounts were involved and what information may have been compromised. He declined to discuss how the attackers breached the bank’s network.

Fusco said the bank was notifying the cardholders, who account for about 2 percent of its roughly 25 million UCard users, about the breach because it couldn’t rule out the possibility that their personal information was among the data removed from its servers.

The bank typically keeps the personal information of its customers encrypted, or scrambled, as a security precaution. However, during the course of the breach, personal data belonging to those customers had temporarily appeared in plain text in files the computers use to log activity.

The bank believes “a small amount” of data was taken, but not critical personal information such as social security numbers, birth dates and email addresses….The bank is also offering the cardholders a year of free credit-monitoring services.

The warning only affects the bank’s UCard users, not holders of debit cards, credit cards or prepaid Liquid cards.

Fusco said the bank had not found that any funds were stolen as a result of the breach and that it had no evidence that other crimes have been committed. As a result, it was not issuing replacement cards.

The spokesman declined to identify the government agencies and businesses whose customers it had warned about the breach.

Officials from the states of Louisiana and Connecticut said the bank notified them this week that personal information of some of their citizens may have been exposed.

Louisiana citizens included about 6,000 people who received cards with state income tax refunds, plus 5,300 receiving child support payments and 2,200 receiving unemployment benefits, according to a statement from state Commissioner of Administration Kristy Nichols….Nichols said Louisiana would “hold JP Morgan Chase responsible” for protecting the rights and personal privacy of the citizens.

Connecticut Treasurer Denise Nappier said she was “dismayed” that the bank took two and a half months to notify the state of the problem. “JPMorgan Chase has some work to do, not only to assure the holders of its debit cards, but also to restore the state’s confidence in the company’s ability to remain worthy of our continued business,” Nappier said…..

The bank said it didn’t know who was behind the attack, though the Secret Service and FBI were investigating the matter.

Businesses and government agencies are increasingly using prepaid cards because they are easier to cash than paper checks. Yet the vast stores of data behind payment cards of all kinds have created new risks.

In 2007, some 41 million credit and debit card numbers from major retailers, including the owner of T.J. Maxx stores, were stolen.

In May of this year, U.S. prosecutors said a global cybercrime ring had stolen $45 million from banks by hacking into credit card processing firms and withdrawing money from automated teller machines in 27 countries.

By ThreatMetrix Posted