JPMorgan says breach impacted 76M households and 7M small businesses

Bank says that breach investigation on going, but confirms that millions are impacted

jpmorgan
JP Morgan Securities Frederick Reimer works in his company's stall on the floor of the New York Stock Exchange January 6, 2014.
Credit: REUTERS/Brendan McDermid

On Thursday, JPMorgan Chase (JPMC) updated investors about their recently disclosed data breach in an 8-K filing with the Securities and Exchange Commission. The update comes hours after the financial giant disputed reports from the New York Times that they had experienced an additional security incident, calling the reports false.

The 8-K report says that user contact information, including names, addresses, phone numbers, and email addresses, as well as internal JPMC information relating to such users was compromised. The overall impact includes 76 million households and 7 million small businesses.

"However, there is no evidence that account information for such affected customers – account numbers, passwords, user IDs, dates of birth or Social Security numbers – was compromised during this attack," the filing stated.

In addition, the bank said that they've not seen any customer fraud related to the compromised data. JPMC says their investigation is ongoing, and they're cooperating fully with various agencies during their investigations.

"Names and contact information alone isn’t going to get the thieves into financial accounts, but it’s seed data for launching phishing attacks against those 76 million households and 7 million small businesses," said Ryan Olson, Unit 42 intelligence director at Palo Alto Networks, when asked for his thoughts.

The bank's security woes came to light in August, after a Bloomberg report said that federal investigators were investigating reports that Russian hackers had compromised gigabytes of data.

On Thursday, the New York Times reported that the bank had suffered a second breach of its systems, citing sources with knowledge of the investigation. JPMC denied the report, calling the claims false.

In an update, the New York Times added that while the bank "found evidence of previously unknown hacking, it says the latest discovery does not constitute a breach separate from an earlier one."

Again, as suggested by Olson, the fallout from the latest update could impact a far larger swath of the public, as criminals jump on the breach bandwagon to further their schemes.

"We may see piggyback attacks where cybercriminals launch social engineering attacks that cash in on the customer anxiety that follows the news of any big-name breach," said Rapid7's engineering manager, Tod Beardsley.

"The usual advice applies: If you get an e-mail or a call from a JP Morgan rep, feel free to thank them for contacting you and hang up. Customers should always initiate that contact by looking at their credit card or statement for the contact number; you simply can't trust that an incoming call or e-mail is legitimate and not a phishing attempt."

To comment on this article and other CSO content, visit our Facebook page or our Twitter stream.
Insider: Hacking the elections: myths and realities
Notice to our Readers
We're now using social media to take your comments and feedback. Learn more about this here.