By David Henry and Jim Finkle
NEW YORK/BOSTON Dec 5 JPMorgan Chase & Co
is warning some 465,000 holders of prepaid cash cards
issued by the bank that their personal information may have been
accessed by hackers who attacked its network in July.
The cards were issued for corporations to pay employees and
for government agencies to issue tax refunds, unemployment
compensation and other benefits.
JPMorgan said on Wednesday it had detected that the web
servers used by its site www.ucard.chase.com had been breached
in the middle of September. It then fixed the issue and reported
it to law enforcement.
Bank spokesman Michael Fusco said that since the breach was
discovered, the bank has been trying to find out exactly which
accounts were involved and what information may have been
compromised. He declined to discuss how the attackers breached
the bank's network.
Fusco said the bank was notifying the cardholders, who
account for about 2 percent of its roughly 25 million UCard
users, about the breach because it couldn't rule out the
possibility that their personal information was among the data
removed from its servers.
The bank typically keeps the personal information of its
customers encrypted, or scrambled, as a security precaution.
However, during the course of the breach, personal data
belonging to those customers had temporarily appeared in plain
text in files the computers use to log activity.
The bank believes "a small amount" of data was taken, but
not critical personal information such as social security
numbers, birth dates and email addresses.
Cyber criminals covet such data because it can be used to
open bank accounts, obtain credit cards and engage in identity
theft. Many states require banks to notify customers if they
believe there is any chance that such information may have been
taken in a breach.
The bank is also offering the cardholders a year of free
The warning only affects the bank's UCard users, not holders
of debit cards, credit cards or prepaid Liquid cards.
Fusco said the bank had not found that any funds were stolen
as a result of the breach and that it had no evidence that other
crimes have been committed. As a result, it was not issuing
The spokesman declined to identify the government agencies
and businesses whose customers it had warned about the breach.
Officials from the states of Louisiana and Connecticut said
the bank notified them this week that personal information of
some of their citizens may have been exposed.
Louisiana citizens included about 6,000 people who received
cards with state income tax refunds, plus 5,300 receiving child
support payments and 2,200 receiving unemployment benefits,
according to a statement from state Commissioner of
Administration Kristy Nichols on Wednesday.
Nichols said Louisiana would "hold JP Morgan Chase
responsible" for protecting the rights and personal privacy of
Connecticut Treasurer Denise Nappier said she was "dismayed"
that the bank took two and a half months to notify the state of
"JPMorgan Chase has some work to do, not only to assure the
holders of its debit cards, but also to restore the state's
confidence in the company's ability to remain worthy of our
continued business," Nappier said in a statement on Thursday.
The bank said it didn't know who was behind the attack,
though the Secret Service and FBI were investigating the matter.
Businesses and government agencies are increasingly using
prepaid cards because they are easier to cash than paper checks.
Yet the vast stores of data behind payment cards of all
kinds have created new risks. In 2007, some 41 million credit
and debit card numbers from major retailers, including the owner
of T.J. Maxx stores, were stolen.
In May of this year, U.S. prosecutors said a global
cybercrime ring had stolen $45 million from banks by hacking
into credit card processing firms and withdrawing money from
automated teller machines in 27 countries.