JP Morgan Chase, the largest bank in the US, informed investors on Thursday that a data breach during the summer had affected around 76 million households and approximately 7 million small businesses.
Confirmation of the scale of the breach, one of the largest ever, came in an 8-K filing with the Securities and Exchange Commission (SEC) in which the company revealed that the attackers took off with user information including names, addresses, phone numbers and email addresses as well as “internal JPMorgan Chase information”.
On a more positive note, the company says it has seen no indication that account numbers, passwords, user IDs, dates of birth and Social Security numbers were compromised and says it has not seen “any unusual customer fraud related to this incident.”
It also makes clear that customers will not be liable for any unauthorised activity on their accounts as long as they let the bank know “promptly”.
JP Morgan Chase, which trades as Chase bank, has published a list of frequently asked questions for customers concerned about the breach.
In it, the company reiterated how no sensitive financial information was stolen and no unusual activity had been spotted since.
The bank warned of the threat of phishing attacks, which is exactly what happened in January 2014, a month after JP Morgan Chase experienced another breach which affected 465,000 prepaid cash card customers.
With that in mind, if you receive an email that appears to come from JP Morgan Chase & Co (or any other bank), be very wary. Remember that no legitimate financial institution is ever likely to send you an email asking for personal or sensitive financial information. If you wish to visit the official JP Morgan site, type the URL directly into your browser instead of clicking on a link within an email.
Of course, email isn’t the only possible means of a follow-up attack – social engineers may attempt to dupe Chase customers by telephone too, especially if they have hold of the phone numbers we now know were snaffled in the breach.
If you receive a call which appears to come from JP Morgan Chase, do not give out any information and hang up. If you actually need to speak to the bank, or wish to confirm the call was in fact genuine, call back using a phone number found on your credit card statement or other official banking paperwork.
The company says it will continue to work with government agencies to uncover the root of the attack.