JPMorgan Chase breach affected 83 million customers

The breach also compromised internal data

Names, addresses, phone numbers and email addresses were compromised in a cyberattack on JPMorgan Chase but no "unusual" fraud has yet been detected.

All told, 76 million households and 7 million small businesses were affected, the bank wrote in a 8-K filing Thursday to the U.S. Securities and Exchange Commission.

In addition to customer information, the attack also "compromised internal Chase data used in connection with providing or offering services, such as the Chase line of business the user is affiliated with," according to an FAQ for customers on its website.

Bank account numbers, passwords, user IDs, birth dates as well as credit, debit and Social Security numbers are not believed to have been compromised, it wrote.

"Since we have seen no evidence of unusual fraud activity, we don't think customers need to go through the inconvenience of having their cards reissued," the notice said.

The bank didn't provide many other details about the attack, but said its customers who used its online or mobile services on, JPMorganOnline, Chase Mobile or JPMorgan Mobile were affected.

A JPMorgan Chase spokeswoman said via email Thursday that the bank experienced only one attack, which lasted from June through August.

The regulatory filing contained the most information JPMorgan Chase has released to date on the scope of the attacks, which surfaced in media reports in late August.

At that time, JPMorgan Chase declined to confirm the attacks, saying that companies of its size experience cyberattacks nearly every day.

The U.S. Federal Bureau of Investigation said around the same time that it was working with the Secret Service to determine the scope of the attacks, which were rumored to affect other U.S. financial institutions.

Because no financial data was compromised, JPMorgan Chase said it is not "necessary" for customers to subscribe to a credit or identity theft monitoring service. Many companies that have experienced a data breach offer those services for free, usually for a year.

It warned that phishing attacks -- which seek to trick users into visiting malicious websites or clicking risky links -- are the biggest risk after contact information has been compromised.

"Don't click on links or download attachments in emails from unknown senders or other suspicious email," the bank advised. "We will never ask you to enter your personal information in an email or text message."

The bank said its probe is continuing and it is working with government agencies that are also investigating.

"Attacks like these are frustrating," it said in another statement on its website. "There are always lessons to be learned, and we will learn from this one and use that knowledge to make our defenses even stronger."

Send news tips and comments to Follow me on Twitter: @jeremy_kirk

Join the CSO newsletter!

Error: Please check your email address.

Tags JPMorgan Chasesecuritydata breach

More about Federal Bureau of InvestigationSecurities and Exchange Commission

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Jeremy Kirk

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place