JPMorgan Warns 465,000 UCard Users' Personal Data May Have Been Stolen


Related Links

Related Stories

  • Simple Yet Elegant Card Skimmer Goes on Sale in Time for the Holidays
    A new point-of-sale (POS) skimmer, used for lifting credit card details and PIN data at retail locations, has gone on sale for thousands of dollars on semi-private underground crime forums. The skimmer is notable in that it can be installed and removed in the blink of an eye.
  • One Quarter of Data Breach Victims Go on to Suffer ID Theft
    ID thieves are getting more successful at leveraging stolen data for ill-gotten gains. Of the 16 million victims notified in 2012 that their payment card information was compromised in a data breach, more than 25% of them also suffered identity theft, according to a new study.
  • Contactless Payment Details Can Be Intercepted with Inexpensive Equipment
    A paper published this week by the Institution of Engineering and Technology (IET) demonstrates that contactless payment card data can be intercepted at more than four times the distance laid down by standards.
  • 44% of Americans Don't Sign Their Credit and Debit Cards
    More than two in five Americans (44%) have chosen not to sign the back of their credit or debit cards, instead writing “see ID” or leaving it blank. However, the tactic is not achieving its intended outcome, as 87% of respondents report that majority of the time they make a purchase with their cards, they are not asked to present proof of ID.
  • Adobe Hacked – Customers' Card Details and Adobe Source Code Stolen
    Adobe has been hacked. Source code for numerous Adobe products including Acrobat and ColdFusion has been stolen. Customer IDs and passwords have been accessed; and card details for 2.9 million customers stolen.

Top 5 Stories


JPMorgan Warns 465,000 UCard Users' Personal Data May Have Been Stolen

05 December 2013

Preloaded UCards are used by corporations to pay employees and for government agencies to issue tax refunds, unemployment and other benefits because they are often easier for the recipient to cash than paper checks. The stolen data may have been in plaintext at the time of the breach.

JPMorgan announced Wednesday that it discovered the breach in September. The issue was fixed and law enforcement notified. Spokesman Michael Fusco said that since it happened the bank had been investigating how it happened, which accounts were affected, and what data was lost. He said the breach accounted for about 2% of its total 25 million UCard users.

He also said that JPMorgan could not rule out the possibility that personal data had been stolen. Reuters reports, "The bank typically keeps the personal information of its customers encrypted, or scrambled, as a security precaution. However, during the course of the breach, personal data belonging to those customers had temporarily appeared in plain text in files the computers use to log activity." He did not explain how the breach occurred.

In Louisiana, Commissioner of Administration Kristy Nichols issued a separate statement: "three Louisiana state agencies were notified by JP Morgan Chase today that a data breach may have exposed the personal information of certain Louisiana citizens." In total, 13,500 UCard recipients are affected across the three agencies: 6000 cards used by the Department of Revenue to distribute tax refunds, 5,300 child support cards from the Department of Children and Family Services, and 2,200 unemployment benefit cards from the Workforce Commission.

"According to the bank," says the statement, "the data exposure affects only cardholders who registered their cards on the JPMorgan UCard Center website and, between July and September 2013, performed certain actions online. JPMorgan is notifying each affected cardholder by email of the specific manner in which their information was compromised. JP Morgan Chase states that there is no evidence that the information has been fraudulently used, and they continue to monitor the security status for all cardholders involved. An investigation as to the causes of this security violation is ongoing."

Kristy Nichols added, "We will hold JP Morgan Chase responsible to make certain that the rights and personal privacy of these Louisiana citizens is protected."

Since many states require banks to notify customers if they believe there is a chance that personal data has been lost, it is likely that further announcements from other states will be made over the next few days. However, JPMorgan has stressed that only a small amount of data was stolen, and that it did not include critical information such as social security numbers, birthdays or email addresses.

"Fusco," reports Reuters, "said the bank has not found that any funds were stolen as a result of the breach and that it has no evidence that other crimes have been committed. As a result, it is not issuing replacement cards." The bank's debit card, credit card and prepaid Liquid card users are not affected.

This article is featured in:
Data Loss  •  Internet and Network Security


Comment on this article

You must be registered and logged in to leave a comment about this article.

We use cookies to operate this website and to improve its usability. Full details of what cookies are, why we use them and how you can manage them can be found by reading our Privacy & Cookies page. Please note that by using this site you are consenting to the use of cookies. ×