J.P. Morgan Chase said Thursday that personal information of some prepaid debit cardholders in multiple states might have been improperly viewed on the bank’s servers from mid-July to mid-September. Pennsylvania offers debit cards from Chase as one option for those receiving unemployment compensation or workers compensation benefits.
The bank has informed the state Treasury that approximately 26,000 accounts among Pennsylvania’s nearly 400,000 state debit cardholders could have been involved. The breach affects only cardholders who used the J.P. Morgan Chase UCard Center website between mid-July and mid-September.
Chase will begin notifying affected cardholders in a letter sent by email on Monday, a process that will take several days. About 465,000 cardholders nationwide had their personal data potentially compromised.
Chase said it has found no evidence that the information was used improperly. As a precaution, it is providing affected cardholders two years of free credit monitoring and identity theft insurance through ITAC Sentinel.
Until cardholders receive their notification, they are being urged by Chase to report any transactions they don’t recognize by calling the phone number on the back of their card. If they are notified they are among affected cardholders, they should then use the special contact number that will be included in their email.
For the majority of cardholders, the personal information that might have been viewed includes: card number, date of birth, user ID, and email address. Cardholders who completed transactions to external bank accounts from their debit cards might have had information about those accounts viewed. For fewer than 10 cardholders, name, address, security questions, phone number, and password could have also been viewed.
The Pennsylvania Treasury has asked Chase to provide a detailed explanation regarding the nature of the security breach and its response, including an explanation for any delay in notifying the commonwealth of the risk to which cardholder accounts were exposed. Chase will also be required to describe additional measures that it will implement to minimize or eliminate the potential for recurrence.
For security reasons, Chase could not explain details of how the breach occurred. It has referred the matter to law enforcement.