NEW YORK (CBSNewYork/AP) — New details on a cyberattack against JPMorgan Chase & Co.’s computer servers this summer add to increasing doubts over the security of consumer data kept by lenders, retailers and others.
The New York-based bank disclosed Thursday that the breach compromised customer information pertaining to roughly 76 million households and 7 million small businesses.
Among the customer data stolen were names, addresses, phone numbers and email addresses, though only customers who use the websites Chase.com and JPMorganOnline and the apps ChaseMobile and JPMorgan Mobile were affected, the bank said.
JPMorgan stressed that there’s no evidence that the data breach included account numbers, passwords, Social Security numbers or dates of birth. It also noted that it has not seen any unusual customer fraud stemming from the data breach.
Credit security expert Paul Oster told CBS 2’s Tony Aiello on Friday that the risk to the consumer is significant.
“Now (hackers) know that you’re banking at Chase, so what they can do now is again try and backtrack into checking and savings accounts,” Oster said.
The server breach follows data thefts that have hit financial firms and major retailers this year, adding to consumer concerns over the risk of identity theft and fraud.
The Chase heist is even more disturbing than the recent retail breaches because banks are supposed to have fortress-like protection against intruders, said Gartner security analyst Avivah Litan.
“This is really a slap in the face of the American financial services system,” Litan said. “Honestly, this is a crisis point.”
JPMorgan Chase, the nation’s biggest bank by assets, has been working with law enforcement officials to investigate the cyberattack.
The bank discovered the intrusion on its servers in mid-August and has since determined that the breach began as early as June, spokeswoman Patricia Wexler said.
“We have identified and closed the known access paths,” she said, declining to elaborate.
She also declined to comment on whether JPMorgan has been able to determine who was behind the cyberattack on its servers.
In response to the data breach, the company has disabled compromised accounts and reset passwords of all its technology employees, Wexler said.
In a post on its Chase.com website, the bank told customers that it doesn’t believe they need to change their password or account information. It also noted that customers are not liable for unauthorized transactions when they promptly alert the bank.
But as the country’s largest bank, many customers expect them to have the highest level of protection.
“They should have done a better job no matter what,” Bronx resident Ben Ventura told CBS 2’s Janelle Burrell.
“I’m not happy about it,” a Chase customer named Liz said. “They need to tighten up their security when it comes to that. ”
“I hoped they had better security,” one man said. “They’ve been established for a long time.”
“That’s private information and not only is it private information, they can get to your friends and stuff like that,” another man said. “It’s crazy.”
“The concern is, basically, they can steal our identity,” said Tammy O’Connor of Manasquan, N.J.