Late Thursday, JPMorgan Chase, the nation’s largest bank, revealed that as many as seven million small businesses and 76 million households had their accounts potentially compromised in a cyberattack this summer. While the company had previously reported the attack, a filing with the Securities and Exchange Commission (SEC) revealed the severity of the attack.
From the the filing and information provided on Chase.com, this is what is currently known about the cyberattack and what the bank is recommending to its customers:
Who was affected?
Customers were affected if they used the following web or mobile services: Chase.com, JPMorganOnline, Chase Mobile or JPMorgan Mobile.
What did the hackers get?
Customers’ contact information – name, address, phone number and email address.
What did the hackers NOT get?
Bank account numbers, passwords, user IDs, date of birth or Social Security numbers.
Were the hackers able to steal money from accounts?
No.
Is a customer liable for money if it turns out they are able to use the information to obtain funds from the customer’s account?
Customers are not liable for any unauthorized transaction on their account if they promptly alert us. The bank says it has not seen any unusual fraud activity related to this incident.
Should customers change your password?
“We don’t believe that’s necessary,” says the bank. “Passwords and user IDs were not compromised.”
Do customers need a new debit or credit card?
No credit card or debit card numbers were compromised. According to the bank, “Since we have seen no evidence of unusual fraud activity, we don’t think customers need to go through the inconvenience of having their cards reissued.”
Do customers need to get credit/identity theft monitoring?
As no financial or account data was compromised, the bank says it does not believe that is necessary
Has the bank stopped the attack?
Yes. The bank says it has identified and closed the known access paths and has no evidence that the attackers are still in our system.
What do small business customers need to worry about?
Phishing (fake email sent to customers that appears to be from the bank but that the cybercriminal hopes a customer will click-through and reveal sensitive data) is typically the biggest risk when contact information has been compromised. The bank encourages customers to be cautious of any communications that ask for personal information. Don’t click on links or download attachments in emails from unknown senders or other suspicious email. According to the bank, it never asks customers to enter personal information in an any email or text message.
Where to find more information
Chase.com’s Security Center has information and recommendations about security and privacy matters. The bank’s update was posted here.
While not related specifically to this cyberattack, SmallBusiness.com has several recommendations for securing your online accounts.
Illustration by SmallBusiness.com from a photo by
Michael Daddino via Flickr. (CC BY 2.0)