The cards were issued for corporations to pay employees and for
government agencies to issue tax refunds, unemployment compensation
and other benefits.
JPMorgan said on Wednesday it detected that its web servers used by
its site www.ucard.chase.com had been breached in the middle of
September. It then fixed the issue and reported it to law
Bank spokesman Michael Fusco said that in the months since the
breach was discovered the bank has been investigating to find out
exactly which accounts were involved and what pieces of information
could have been taken. He declined to discuss how the attackers
breached the bank's network.
Fusco said the bank is notifying the cardholders, who account for
about 2 percent of its roughly 25 million UCard users, about the
breach because it cannot rule out the possibility that their
personal information was among the data removed from its servers.
The bank typically keeps the personal information of its customers
encrypted, or scrambled, as a security precaution. However, during
the course of the breach, personal data belonging to those customers
had temporarily appeared in plain text in files the computers use to
The bank believes "a small amount" of data was taken, but not
critical personal information such as social security numbers, birth
dates and email addresses.
Cyber criminals covet such data because it can be used to open bank
accounts, obtain credit cards and engage in identity theft. Many
states require banks to notify customers if they believe there is
any chance that such information may have been taken in a breach.
The bank is also offering the cardholders a year of free
The warning only affects the bank's UCard users, not holders of
debit cards, credit cards or prepaid Liquid cards.
Fusco said the bank has not found that any funds were stolen as a
result of the breach and that it has no evidence that other crimes
have been committed. As a result, it is not issuing replacement
[to top of second column]
The spokesman declined to identify the government agencies and
businesses whose customers it had warned about the breach. Fox 8
News in New Orleans reported on its website that three Louisiana
agencies were notified by the bank on Wednesday that the personally
identifiable information of some state citizens may have been
State officials could not be reached for comment late Wednesday.
The bank said it does not know who was behind the attack, though the
Secret Service and FBI are investigating the matter.
Businesses and government agencies are increasingly using prepaid
cards because they are easier to cash than paper checks.
Yet the vast stores of data behind payment cards of all kinds have
created new risks. In 2007 some 41 million credit and debit card
numbers from major retailers, including the owner of T.J. Maxx
stores, were stolen.
In May of this year U.S. prosecutors said a global cybercrime ring
had stolen $45 million from banks by hacking into credit card
processing firms and withdrawing money from automated teller
machines in 27 countries.
(Reporting by David Henry in New York and Jim Finkle in Boston;
Editing by Christopher Cushing)