November 10, 2015 Update
Last week, JPMorgan Chase announced that contact information for about 76 million households and 7 million small businesses was compromised in a massive data breach. The breach exposed names, addresses, phone numbers and email addresses of customers of the largest U.S. Bank. Affected customers include those who use Chase.com, JPMorganOnline, Chase Mobile or JPMorgan Mobile.
According to the New York Times, hackers accessed accounts on over 90 servers. This is the first time a major hack has attacked a financial system, as it’s been largely confined to retailers like Target for the last few years. Unfortunately, JPMorgan has customer information that is far more sensitive. So far, there is no evidence hackers have taken any money from customer accounts.
The attack seems to have gone unnoticed for abut two months. Between June and August, hackers accessed accounts on more than 90 servers for short periods of time, usually around an hour for each attack. In August, JPMorgan discovered the breach and closed access paths.
The attacks seems to have been caused by malware. The hacker group appears to have obtained a list of software JPMorgan uses on its computers, then looked through each for known vulnerabilities.
A new report reveals that Russian hackers are most likely behind the attack, and JPMorgan was not the only target. Around 9 other financial institutions were also hit by the same group. The New York Times reported that the hackers seem to have ties to Russian government officials, and some have speculated that the attacks are political and prompted over sanctions imposed on Russia over action in the Ukraine.
According to JPMorgan, the hackers were able to gain access to customer names, phone numbers, email addresses, and physical addresses, although their attempts to gain access to more sensitive financial and personal information was thwarted.
In its filing to the SEC, JPMorgan said it hasn’t detected any unusual fraudulent activity on customer accounts.
While there has been no fraud activity detected, phishing is the biggest danger, according to the bank. The stolen information can lead to phishing schemes, whether it is through email, phone or text. If you receive a voicemail, phone call, text or email attempting to solicit information, remember that JPMorgan Chase will not ask for your information.
Identity theft is also a concern. While it doesn’t seem that Social Security numbers, account numbers, passwords or birth date information was stolen, the data can still be used to steal the identity of customers. This may make the breach more serious than a credit card breach, as it can take months to undo the damage of identity theft, which often goes on for some time unnoticed.
It is even possible that the thieves may sell the stolen data to others, who can combine it with publicly available information through social media and census data. This can be used to create more convincing emails to target consumers into providing Social Security numbers or login information.
JPMorgan says that you do not need to change your password or get a new card. Credit and identity theft monitoring may be a good idea, however. You may even want to take an extra step by adding a security freeze, which is one of the strongest tools you have at your disposal to prevent identity theft.
A freeze will prevent anyone from attempting to open a new account in your name. When you freeze your credit reports, TransUnion, Equifax and Experian will not release your credit information to any company that does not have a relationship with you.
You will need to request a freeze from each bureau separately. Keep in mind the freeze can be a bit of a hassle to you because you will need to lift it if you want to apply for any new credit. You should also monitor all of your accounts regularly and review each transaction. Be sure to check your credit report from each bureau at least once a year as well to monitor for fraud and identity theft.
Despite the fact that JPMorgan has said you do not need to change your passwords, it’s always a good idea to make sure you are not using the same password for all of your accounts, particularly the same password for social accounts like email and Facebook that you use for banking.