JPMorgan Chase Hack Impacts 76 Million Households
A cyberattack on JPMorgan Chase this summer has compromised the personal information of 76 million households and 7 million small businesses, making it one of the largest data breaches ever.
In a securities filing on Thursday, the bank revealed details of the breach first disclosed in August, noting that user contact information — including names, addresses, phone numbers, and email addresses — was stolen. At this point, however, there is no evidence that user account data — such as account numbers, passwords, user IDs, birthdates, or Social Security numbers — was compromised during the attack.
In addition, the company reiterated that it has not discovered any unusual customer fraud related to the breach. Customers are not liable for any unauthorized transactions that they "promptly" report to the firm.
"[JPMorgan] continues to vigilantly monitor the situation and is continuing to investigate the matter," according to the filing. The company is also working with the government on its investigation of the breach.
The intrusion began in June but was not discovered until July, and its impact is more widespread than initially thought, according to a report from The New York Times, citing several people with knowledge of the attacks. Until a few weeks ago, JPMorgan executives believed that just one million accounts were compromised.
The hackers gained entry into the company's systems by first getting their hands on a list of applications and programs that run on employees' computers. They then exploited known vulnerabilities in those programs and Web applications to break into the bank's network and obtain administrative privileges to dozens of servers.
It could take months for the bank to clean up its systems, possibly giving hackers time to exploit additional vulnerabilities that would allow for re-entry in the future, the Times' sources said.
JPMorgan customers should be on the lookout for phishing emails attempting to trick them into handing over even more personal information, like their usernames and passwords. Moreover, the breach may be especially harmful for those small businesses that were affected, said John Zurawski, vice president for security firm Authentify.
"Many small businesses are often no better protected, from an IT perspective, than the average home computer," he said. "On the other hand, there could be considerably more money involved including payroll accounts. Adding employees to a payroll account and paying them usually doesn't trigger an alarm."
Small businesses should immediately change their passwords, and JPMorgan will have to authenticate those requests carefully, Zurawski said.
For more on the breach and what it means to you, check out the video below.