A security breach at JPMorgan Chase has potentially exposed the personal information of 14,000 Connecticut residents with prepaid debit cards issued by state agencies, according Treasurer Denise Nappier.
In a Thursday statement, Nappier said an attack on the bank’s website may have impacted as many 465,000 accounts nationwide. The accounts affected in Connecticut are prepaid debit cards the state uses rather than checks to administer payments like tax refunds, child support, and unemployment benefits, the statement said.
About 7,000 of the cards were debit cards issued by the Department of Revenue Services. The others were issued by the departments of Labor, Social Services, and Children and Families.
The information the bank says may have been exposed includes data that cardholders entered online in the process of activating the cards or moving their balances. Exposed information may include names, social security numbers, bank account information, birthdates, passwords, phone numbers, and email addresses, the statement said.
“I want to assure all citizens who have these cards that my office considers this incident a serious breakdown in security, and holds JPMorgan Chase accountable,” Nappier said. “We expect JPMorgan Chase to take immediate steps to notify affected account holders, to offer credit protection services to those impacted, and to properly safeguard all private personal information of citizens who receive payments from the state via JPMorgan Chase debit cards. Our constituents deserve nothing less.”
In a short statement, JPMorgan Chase spokesman Michael Fusco said the company has “found no evidence that the information was used improperly and we will continue to monitor. As a precaution, we will notify all affected cardholders and offer free credit monitoring.”
The attack apparently occurred between July and September. Nappier said she was “dismayed” that the bank waited more than two months to notify her office of the security breach.
“They should have picked up the phone immediately and called us. That the company failed to communicate this security breach in a timely manner raises concerns over its culture of compliance and broader governance issues,” she said.
Nappier said the company will be notifying affected customers of exactly what information may have been compromised and providing them with two years of free credit monitoring.
Nappier and Revenue Services Commissioner Kevin Sullivan said they would be scrutinizing the company’s contract and “evaluating JPMorgan’s future as a vendor.”
According to the contract JPMorgan Chase has with the state, which was expanded to include Revenue Services back in 2012, the bank is expected to contact the state within one day if fraud is detected or reported. It also is expected to issue the cardholder a new card and card number within two weeks if fraud is detected.