JPMorgan warns 465,000 card users on data loss after cyber attack


By David Henry and Jim Finkle

NEW YORK/BOSTON, Dec 5 (Reuters) - JPMorgan Chase & Co is warning some 465,000 holders of prepaid cash cardsissued by the bank that their personal information may have beenaccessed by hackers who attacked its network in July.

The cards were issued for corporations to pay employees andfor government agencies to issue tax refunds, unemploymentcompensation and other benefits.

JPMorgan said on Wednesday it detected that its web serversused by its site had been breached in themiddle of September. It then fixed the issue and reported it tolaw enforcement.

Bank spokesman Michael Fusco said that in the months sincethe breach was discovered the bank has been investigating tofind out exactly which accounts were involved and what pieces ofinformation could have been taken. He declined to discuss howthe attackers breached the bank's network.

Fusco said the bank is notifying the cardholders, whoaccount for about 2 percent of its roughly 25 million UCardusers, about the breach because it cannot rule out thepossibility that their personal information was among the dataremoved from its servers.

The bank typically keeps the personal information of itscustomers encrypted, or scrambled, as a security precaution.However, during the course of the breach, personal databelonging to those customers had temporarily appeared in plaintext in files the computers use to log activity.

The bank believes "a small amount" of data was taken, butnot critical personal information such as social securitynumbers, birth dates and email addresses.

Cyber criminals covet such data because it can be used toopen bank accounts, obtain credit cards and engage in identitytheft. Many states require banks to notify customers if theybelieve there is any chance that such information may have beentaken in a breach.

The bank is also offering the cardholders a year of freecredit-monitoring services.

The warning only affects the bank's UCard users, not holdersof debit cards, credit cards or prepaid Liquid cards.

Fusco said the bank has not found that any funds were stolenas a result of the breach and that it has no evidence that othercrimes have been committed. As a result, it is not issuingreplacement cards.

The spokesman declined to identify the government agenciesand businesses whose customers it had warned about the breach.Fox 8 News in New Orleans reported on its website that threeLouisiana agencies were notified by the bank on Wednesday thatthe personally identifiable information of some state citizensmay have been exposed.

State officials could not be reached for comment lateWednesday.

The bank said it does not know who was behind the attack,though the Secret Service and FBI are investigating the matter.

Businesses and government agencies are increasingly usingprepaid cards because they are easier to cash than paper checks.

Yet the vast stores of data behind payment cards of allkinds have created new risks. In 2007 some 41 million credit anddebit card numbers from major retailers, including the owner ofT.J. Maxx stores, were stolen.

In May of this year U.S. prosecutors said a globalcybercrime ring had stolen $45 million from banks by hackinginto credit card processing firms and withdrawing money fromautomated teller machines in 27 countries.

View Comments (2)