The database breach this past summer at JPMorgan Chase, the largest bank in the United States by assets, was much more extensive than previously thought, affecting 83 million persons and businesses, the bank said today (Oct. 2) in a filing with the Securities and Exchange Commission.
However, the customer data accessed was not especially sensitive, and was limited to contact information: names, street addresses, email addresses and telephone numbers, JPMorgan Chase said. No money appeared to have been stolen.
"There is no evidence that account information for such affected customers -– account numbers, passwords, user IDs, dates of birth or Social Security numbers –- was compromised during this attack," JPMorgan Chase said in the SEC filing. "The Firm continues to not have seen any unusual customer fraud related to this incident."
JPMorgan Chase denied a report earlier today in The New York Times that the bank had suffered a second major computer-system incursion. The Times later updated its story to say that there had been only one ongoing incident.
By itself, the exposure of such contact information is not especially dangerous, as much of it is public already. But it can be used to fill in blanks on partial profiles created from earlier data breaches, such as by matching names to stolen credit cards or email addresses, and also be used in spam or phishing attacks.
"The fact that these victims had accounts with JPMC means that attackers could send personalized phishing attacks to these users, pretending to be Chase and asking for login credentials," Adam Kujawa of San Jose, California-based Malwarebytes said in a statement.
No increase in payment-card fraud or identity theft involving JPMorgan Chase customers has been reported. Until either is, there's not much bank customers need to do.
If the number of compromised accounts is verified, the JPMorgan Chase incursion would be among the largest data breaches to ever occur in the United States. Last year's Target breach, by comparison, involved 70 million compromised customer records and 40 million stolen payment-card numbers.
The breach may involve more people than JPMorgan Chase has customers, which number about 65 million. Unnamed sources told Bloomberg News and The Wall Street Journal that the data involves persons and businesses, including former and prospective customers, who used the company's mobile apps or websites, including chase.com and jpmorgan.com.
Sources told The Wall Street Journal that the attack began with the compromise of a JPMorgan Chase employee's personal computer, which allowed entry into the bank's computer systems. From mid-June to mid-August, the sources said, network penetrations occurred regularly for about an hour at a time.
Other sources told The New York Times that the intruders gained administrative privileges on more than 90 JPMorgan Chase servers, and copied lists of software installations across the company -- information that could be used to stage later attacks against vulnerable software.
If so, the damage could be much greater than the exposure of contact information.
"Focusing on the number of accounts breached is potentially misleading," Jeff Williams, co-founder and chief technology officer of Palo Alto, California-based Contrast Security, said in a statement. "Attackers took full control of millions of personal and business accounts – meaning that they could transfer funds, disclose information, close accounts, and basically do whatever they want to the data."
Williams dismissed JPMorgan Chase's claim that there was "no evidence" customer data beyond contact information had been taken.
"That's not surprising if the attackers had total control over the servers, log files, and databases," he said. "Even inexperienced hackers know how to exfiltrate data without being detected and how to cover their tracks."
Reports of an attack on JPMorgan Chase and four other banks, which have not been identified, first surfaced in late August. In mid-September, further reports stated that the compromised account data at JPMorgan Chase was limited to contact information, although it was thought that only a million personal records were affected.