JPMorgan breach likely impacts UCard users – again

Bank issues warning to state agencies in Louisiana, others likely to follow

skullkey2

The story is nearly identical to one from nearly a year ago. It starts with JPMorgan Chase disclosing that they've suffered a data breach.

The bank says that an unknown number of records have been compromised, but it's certain that the incident impacts customers from various services, including those using JPMorgan's UCard.

In 2013, the story focused on a breach that occurred in July and was detected and addressed in September. Several months later, JPMorgan's most recent security problems were detected sooner, but the end result is still the same - gigabytes of data was compromised, including customer (savings and checking account) and corporate (HR) records.

As such, JPMorgan Chase once again initiated the communications aspect of their incident response plan last week, and notified state agencies that people using pre-paid debit cards could be impacted by this latest breach.

The notification was confirmed by the Louisiana Department of Revenue. The agency said in a statement that the bank alerted them to the possibility that personally identifiable information required for various state contracts may have been breached.

However, the bank admitted that it doesn't know "if or to what extent information on Louisiana citizens may have been exposed," said Byron Henderson, the Communications Director for the Louisiana Department of Revenue.

JPMorgan offers debit cards to various state agencies – called UCards – so that they can process payments easier.

The UCard program is used by state agencies all over the country. For example, aside from Louisiana, the program is operational in Utah, Texas, Connecticut, Illinois, Pennsylvania, Ohio, New York, Missouri, Kansas, and Oklahoma.

State payroll is the most common use, however the UCard program is also used for state assistance payments (EBT), child support payments, education assistance payments, unemployment payments, and tax refunds. After the breach in 2013, Louisiana passed a law that requires tax refunds be made through paper check unless the recipient requests otherwise.

In 2013, the JPMorgan breach required that at least 50,000 people be notified, but the incident only impacted UCard customers. This time, the full scope of the breach remains unknown, but it's not looking good.

Phishing problems:

In the aftermath of the 2013 incident, UCard users and customers were targeted by a Phishing campaign requesting personal and financial information. Given the importance that the UCard program has to so many, those emails couldn't have come at a worse time.

Prior to this most recent breach, JPMorgan customers were once again targeted by a Phishing campaign. This one sought credentials and delivered financial malware – a unique twist to the common Phishing theme that normally targets Chase customers.

However, just before the holiday, Salted Hash was alerted to a problem that could leave some customers oblivious to the risks posed by Phishing. With examples dated as far back as June of this year, one reader pointed out that Chase's security concerns extend far beyond the network.

Chase has been requesting that customers with concerns about the legitimacy of a given message, such as an email confirming a payment or the existence of a new statement, click a link embedded within the email itself.

However, over the weekend, another reader forwarded an email promoting the Chase banking application. Again, customers with doubts about the authenticity of the message are encouraged to follow a link. But this time, it gets a bit more frustrating.

The images and the links in the message are from a third-party marketing vendor, and only after they're clicked will the user be forwarded to a Chase domain.

While it isn't something that's frequently discussed, Phishing campaigns can be developed based on marketing schemes, taking on the guise of opt-in corporate spam. They're not as successful as the campaigns that make headlines, but they don't have to be, as fake spam runs are cheap and easy to make.

Now, not only are customers trained to click links in emails, if they spot an email that's using a domain not related to the brand, it's almost as if someone said, "That's okay, click anyway."

To comment on this article and other CSO content, visit our Facebook page or our Twitter stream.
Insider: Hacking the elections: myths and realities
Notice to our Readers
We're now using social media to take your comments and feedback. Learn more about this here.