JPMorgan announced Wednesday that it discovered the breach in September. The issue was fixed and law enforcement notified. Spokesman Michael Fusco said that since it happened the bank had been investigating how it happened, which accounts were affected, and what data was lost. He said the breach accounted for about 2% of its total 25 million UCard users.
He also said that JPMorgan could not rule out the possibility that personal data had been stolen. Reuters reports, "The bank typically keeps the personal information of its customers encrypted, or scrambled, as a security precaution. However, during the course of the breach, personal data belonging to those customers had temporarily appeared in plain text in files the computers use to log activity." He did not explain how the breach occurred.
In Louisiana, Commissioner of Administration Kristy Nichols issued a separate statement: "three Louisiana state agencies were notified by JP Morgan Chase today that a data breach may have exposed the personal information of certain Louisiana citizens." In total, 13,500 UCard recipients are affected across the three agencies: 6000 cards used by the Department of Revenue to distribute tax refunds, 5,300 child support cards from the Department of Children and Family Services, and 2,200 unemployment benefit cards from the Workforce Commission.
"According to the bank," says the statement, "the data exposure affects only cardholders who registered their cards on the JPMorgan UCard Center website and, between July and September 2013, performed certain actions online. JPMorgan is notifying each affected cardholder by email of the specific manner in which their information was compromised. JP Morgan Chase states that there is no evidence that the information has been fraudulently used, and they continue to monitor the security status for all cardholders involved. An investigation as to the causes of this security violation is ongoing."
Kristy Nichols added, "We will hold JP Morgan Chase responsible to make certain that the rights and personal privacy of these Louisiana citizens is protected."
Since many states require banks to notify customers if they believe there is a chance that personal data has been lost, it is likely that further announcements from other states will be made over the next few days. However, JPMorgan has stressed that only a small amount of data was stolen, and that it did not include critical information such as social security numbers, birthdays or email addresses.
"Fusco," reports Reuters, "said the bank has not found that any funds were stolen as a result of the breach and that it has no evidence that other crimes have been committed. As a result, it is not issuing replacement cards." The bank's debit card, credit card and prepaid Liquid card users are not affected.