NEW YORK — A huge cyberattack against JPMorgan Chase this summer has compromised customer information for about 76 million households and 7 million small businesses, the bank said Thursday.
JPMorgan Chase said that names, addresses, phone numbers and e-mail addresses were stolen from the company’s servers, but only customers who use the websites and JPMorganOnline and the apps ChaseMobile and JPMorgan Mobile were affected.
The New York-based bank said there’s no evidence that the data breach included account numbers, passwords, Social Security numbers or dates of birth. It also said it has not seen any unusual customer fraud stemming from the data breach.
JPMorgan Chase, the nation’s biggest bank by assets, has been working with law enforcement officials to investigate the cyberattack.
The bank discovered the intrusion on its servers in mid-August and has since determined that the breach began as early as June, said spokeswoman Patricia Wexler.
“We have identified and closed the known access paths,” she said, declining to elaborate.
The company also disabled compromised accounts and reset passwords of all its technology employees, Wexler said.
The attack at JPMorgan Chase went unnoticed for about two months this summer, people familiar with the matter told Bloomberg News. Between mid-June and mid-August, hackers breached JPMorgan’s servers for short intervals, around an hour at a time, these people said. JPMorgan learned of the attack in mid-August and stopped it, these people said.
The attack appears to have been caused by malicious computer code, known as malware, people familiar with the matter said.
Hackers appear to have originally breached JPMorgan’s network via an employee’s personal computer, a person close to the investigation has said. From there, the intruders were able to move further into the bank’s inner systems. Employees often use software to tap in to corporate networks from home through what are known as virtual private networks.
The bank has disabled accounts that may have been compromised, people familiar with the bank’s response said.
In a post on its website, the bank told customers that it doesn’t believe they need to change their password or account information.
The breach is yet another in a series of data thefts that have hit financial firms and major retailers.
A data breach at Target in December compromised 40 million credit and debit cards. The theft of 90 million TJX Companies records, disclosed in 2007, remains the largest data breach at a retailer.
Last year, four Russian nationals and a Ukrainian were charged in what has been called the largest hacking and data breach scheme ever prosecuted in the United States. They were accused of running a hacking organization that penetrated computer networks of more than a dozen major U.S. and international corporations over seven years, stealing and selling at least 160 million credit and debit card numbers, resulting in losses of hundreds of millions of dollars.
The Chase heist is even more disturbing than the recent retail breaches because banks are supposed to have fortresslike protection against intruders, said Gartner security analyst Avivah Litan.
“This is really a slap in the face of the American financial services system,” Litan said. “Honestly, this is a crisis point.”
Chase’s assurances that they haven’t found any evidence of the personal data being misused shouldn’t be misinterpreted as a reason to rest easy. The information still could be used in a variety of ways to rip off people in the months and years ahead.
That means consumers and business owners need to be more vigilant than ever, making sure to pore over their financial statements each month for any sign of suspicious activity.
Bloomberg News contributed to this report.
