A security breach at JPMorgan Chase & Co., the bank that manages the debit card system for unemployment benefits in Maine, may have affected more than 1,300 Mainers, and state officials want to know why they weren’t notified for months.
The affected residents, who have collected benefits in the last three years, comprise about 1.5 percent of all beneficiaries during that time. They will be notified Monday by JPMorgan Chase that their personal information – which could include dates of birth and email addresses – was compromised in mid-July.
JPMorgan Chase discovered the breach of its website, www.ucard.chase.com, in September, according to a spokesman, and quickly fixed the problem, but it waited nearly three months to alert Maine and the many other states that were affected. Nationwide, more than 450,000 JPMorgan Chase cardholders in several states may have had personal information compromised.
“The (Maine) Department of Labor is looking into the situation surrounding the breach and why we were not informed sooner of this event,” Commissioner Jeanne Paquette said in a statement. “Unfortunately, the department does not have access to individual debit card account data and cannot answer questions related to the status of individual accounts.”
Michael Fusco, a spokesman for JPMorgan Chase, declined to answer specific questions about why the company delayed alerting states for a few months and why it is waiting until Monday to alert individual customers.
“When we detected the issue our first priority was to protect our systems, cardholders’ data and accounts,” he said in an emailed statement. “We quickly fixed the issue and began an extensive investigation to understand exactly what happened, what, if any information was exposed, and who was affected. We reviewed the results and quickly took steps to communicate with everyone impacted.”
Although three months seems like a long time, it’s not unreasonable in this case, according to Josh Silver, an attorney at Bernstein Shur who specializes in data security.
“(JPMorgan Chase) may have been working with law enforcement this whole time that could have asked them not to disrupt an investigation,” he said. “Also, it can take weeks or even months for banks to know exactly what system was breached and what information was taken.”
The FBI and the U.S. Secret Service are investigating the cyberattack, but so far JPMorgan does not know who was responsible.
JPMorgan Chase, the nation’s largest bank in assets, alerted Maine officials in a Dec. 4 email about the breach. Maine Department of Labor spokeswoman Julie Rabinowitz said they did not receive a formal letter, only a message saying that customers would be notified.
“We haven’t had a situation like this,” she said. “It’s certainly unusual.”
Some state and local government agencies use “UCards” from JPMorgan Chase instead of checks to provide certain benefits, including unemployment, child support payments and food stamps. The number of accounts affected nationwide, 465,000, represents about 2 percent of all UCard users. The UCards are not the same as JPMorgan Chase’s regular debit or credit cards.
No state information systems or other unemployment system data were breached. The information that may have been exposed during the security lapse includes a claimant’s card number, date of birth, user ID, password and email address. The claimant’s personal identification number or Social Security number could not be viewed.
JPMorgan Chase plans to send emails to affected customers with an apology and an offer of free credit monitoring for one year. The bank told officials that it has found no evidence that any individual’s information was used improperly, and it will continue to monitor the accounts. The bank also asks cardholders to watch their accounts and to call the customer service number on the back of the debit card if they see purchases they do not recognize. JPMorgan Chase’s customer service number is (866) 315-1011.
Gov. Paul LePage promised to hold the contractor accountable.
“We will hold JP Morgan Chase responsible to ensure the security of our citizens’ rights and personal privacy,” LePage said in a statement. “We are greatly concerned about this lapse and want Mainers to know that we take seriously the need to keep data safe.”
Rabinowitz said the state is reviewing its contract with JPMorgan Chase to see if there is any recourse or if the bank failed to meet any obligations to the state.
Such cyberattacks are becoming more and more common, said Silver, the data security attorney. In May, federal authorities revealed that a global network of hackers stole $45 million within hours from cash machines around the world.
“This has been happening for awhile, but we’re starting to see more coverage,” Silver said. “Banks are better than most at dealing with these problems. They are knowledgeable and often make big investments in security, but even they get breached. No one can stay ahead of the hackers.”
Eric Russell can be contacted at 791-6344 or at: