JPMorgan Chase discloses major data breach

A cyberattack against JPMorgan Chase & Co this summer has compromised customer information for about 76 million households and seven million small businesses, according to the bank.

The New York-based bank said on Thursday that names, addresses, phone numbers and email addresses were stolen from the company’s servers, but only customers who use the websites Chase.com and JPMorganOnline and the apps ChaseMobile and JPMorgan Mobile were affected.

JPMorgan Chase said there is no evidence that the data breach included account numbers, passwords, Social Security numbers or dates of birth.

It also said it has not seen any unusual customer fraud arising from the data breach.

JPMorgan Chase, the biggest US bank by assets, has been working with law-enforcement officials to investigate the cyberattack.

The bank discovered the intrusion on its servers in mid-August and has since determined that the breach began as early as June, Patricia Wexler, a bank spokesperson, said.

“We have identified and closed the known access paths,” she said, declining to elaborate.

The company also disabled compromised accounts and reset passwords of all its technology employees, Wexler said.

In a post on its Chase.com website, the bank told customers that it does not believe they need to change their password or account information.

Wexler said the bank does not plan to reissue cards as a result of the breach of its servers, noting that customer account information was not stolen.

The breach is yet another in a series of data thefts that have hit financial firms and major retailers.

Series of data thefts

Last month, Home Depot said that malicious software lurking in its check-out terminals between April and September affected 56 million debit and credit cards.

Michaels and Neiman Marcus also have been attacked by hackers in the past year.

A data breach at Target in December compromised 40 million credit and debit cards.

TJX Cos’s theft of 90 million records, disclosed in 2007, remains the largest data breach at a retailer.

Last year, four Russian nationals and a Ukrainian were charged in what has been called the largest hacking and data breach scheme ever prosecuted in the US.

They were accused of running a hacking organisation that penetrated computer networks of more than a dozen major US and international corporations over seven years, stealing and selling at least 160 million credit and debit card numbers, resulting in losses of hundreds of millions of dollars.

Heartland Payment Systems Inc, which processes credit and debit cards for businesses, was identified as taking the biggest hit in a scheme starting in 2007 – the theft of more than 130 million card numbers at a loss of about $200m.

Global Payment Systems, another major payment processing company, had nearly one million card numbers stolen, with losses of nearly $93m, according to prosecutors.

JPMorgan Chase’s assurances that they have not found any evidence of the personal data being misused should not be misinterpreted as a reason to rest easy, however.

The information still could be used in a variety of ways to defraud people in the months and years ahead.

Last month JPMorgan Chase began notifying customers that it would reissue credit or debit cards in the wake of the data breach at Home Depot.