JPMorgan Chase glitch let customers see other users' data

Dive Brief:

JPMorgan Chase warned customers this month that a “technology issue” may have caused some customers to see account information of other customers with similar personal information while using the bank’s mobile app or website, according to a letter posted on the Montana attorney general’s website.
The breach, which lasted from May 24 to July 14, appears to have affected a limited number of customers — seven in Montana, for example — although no details were available regarding potential impact in other states, or elsewhere. Exposed information may have included account balances, transactions and customers’ names and account numbers, the bank said.
The bank offered affected customers a free year of credit monitoring through Experian and advised them to review their account settings and transactions as a precaution. “We have found no indication that your information has been used inappropriately,” JPMorgan Chase wrote in its letter to customers. “You won’t be liable for any fraudulent activity on your Chase accounts that you promptly tell us about.”

Dive Insight:

Although this month’s glitch appears to have limited reach, data breaches can prove costly both in reputational damage and in regulator penalties.

The Office of the Comptroller of the Currency (OCC) fined Capital One $80 million last year for its role in a 2019 breach that exposed data from more than 106 million accounts.

That hack occurred after a former employee of Capital One’s cloud hosting company, Amazon Web Services, gained access to the bank’s customer data by exploiting a misconfigured web application firewall.

The Federal Reserve ordered the bank’s board of directors to submit a written plan outlining how it intends to improve its risk management program and internal controls for protecting customer data.

The breach prompted two lawmakers, Reps. Katie Porter, D-CA, and Nydia Velazquez, D-NY, to write then-Treasury Secretary Steven Mnuchin to suggest the three largest cloud providers — Amazon Web Services, Microsoft Azure and Google Cloud — be designated systemically important financial market utilities.

The OCC and the Federal Deposit Insurance Corp. (FDIC) last year proposed requiring banks to notify their primary federal regulator within 36 hours of making a good-faith determination that a cybersecurity incident could materially disrupt, impair or degrade their operations or threaten U.S. financial stability. The measure would also require vendors to notify affected bank customers immediately of any incident that disrupted services for four hours or more.

Capital One is far from alone in the fight against data breaches. Morgan Stanley suffered a data breach after one of its vendors discovered a compromise through the Accellion file transfer appliance (FTA) vulnerability, according to a July 2 disclosure letter.

Memphis, Tennessee-based First Horizon reported a data breach in April in which an unauthorized party obtained login credentials and exploited a vulnerability in third-party security software, according to a Securities and Exchange Commission (SEC) filing. The compromise allowed attackers to access fewer than 200 online accounts, steal personal information from the victims and exfiltrate less than $1 million, according to the filing.

And the personal data of 7.5 million users of the challenger bank Dave was exposed in July 2020 when a "malicious party" gained unauthorized access through a former third-party service provider, the personal finance company said in a blog post.

Attacks against the financial sector increased by 238% in the first five months of 2020, Tom Kellermann, head of cybersecurity strategy at VMware, testified last year on Capitol Hill, according to American Banker.

Beyond that, it appears customers demand earlier notification from banks than other companies that suffer data breaches, Experian found in 2019. About 83% of respondents said they expected to be notified within 24 hours if the breached company is a bank, according to the survey of 1,004 U.S. adults. That compared with 75% for a government agency, 73% for a health care organization and 61% for a retailer.