More than a month after the FBI said it was investigating cyberattacks on U.S. banks, JPMorgan Chase, the country's biggest bank by assets, disclosed that approximately 76 million households and 7 million small businesses have been compromised.
The bank said that "user contact information" including the name, address, phone number, email address, and "internal JPMorgan Chase information relating to such users" was affected by the breach. The bank said that there is "no evidence" that the breach allowed anyone to access the account numbers, passwords, user IDs, birthday, or social security numbers of the account holders and that there wasn't any "unusual consumer fraud" related to the breach. The hackers, it seems, have not actually gotten any money from the cyberattack.
JPMorgan Chase has 65.8 million open credit card accounts and 31.8 million with sales activity, according to its most recent quarterly report. Chase also has 30.1 million checking accounts.
While the numbers seem large in comparison to the number of people that have accounts with Chase, JPMorgan spokesperson Trish Wexler said that it wasn't the best comparison to draw. What happened, she said, is that in June and August, the hackers got access to some information for people using Chase.com and the Chase app, as well as private bank customers using the JPMorgan website and app.
While the information is personal, it did not include passwords that could help hackers log in to other sites or email accounts nor the banking information that would allow them to use Chase credit cards or take money from customer accounts, Wexler said.
Wexler explained the disparity between the number of Chase checking and credit card account holders and the size of the hack by saying that the number of people logging into Chase.com or JPMorgan Online can include customers that don't have bank or credit card accounts with Chase like mortgage or auto borrowers. Some data accessed by the hackers could also belong to former Chase customers, Wexler said.
Bloomberg reported, citing an anonymous source, that hackers were able to get information that allowed them to tell what type of customers the users were, "such as whether they are clients of the private-bank, mortgage, auto or credit-card divisions."
The attack was first launched in mid-June, the Wall Street Journal reported, but wasn't noticed by JPMorgan until mid-August.
JPMorgan has been amping up its efforts to thwart cyberattacks in recent years. In his annual letter to shareholders, the bank's Chairman and Chief Executive Officer Jamie Dimon said that the bank will spend $250 million this year on cybersecurity and will have approximately 1,000 employees working on keeping the bank safe from cyberattacks. That's up from 600 employees working on it in 2012 and $200 million spent that year. "Despite these intense efforts, we acknowledged that the issue of cybersecurity worried us," Dimon wrote in the letter, "that worry only has continued to intensify."
If you have more information about the hack, or if you've had any problems with your Chase account, please email firstname.lastname@example.org
This post has been updated with the number of Chase checking and credit card accounts.
This post has been updated with comments from Trish Wexler.
Matthew Zeitlin is a business reporter for BuzzFeed News and is based in New York. Zeitlin reports on Wall Street and big banks.
Contact Matthew Zeitlin at email@example.com.
Got a confidential tip? Submit it here.