The cards are generally issued as a way for corporations to pay employees. Government agencies also use the UCards to issue tax refunds, unemployment compensation, and other benefits.
Because none of the other cards under the JPMorgan Chase brand were affected, and there’s no evidence any funds were stolen, the bank will not issue replacement cards. Still, the bank isn’t sure what personal information was stolen but believes “a small amount” of data was taken.
The term “small amount” could mean anything — hackers don’t need much to fraudulently open bank accounts or credit cards. To prevent this type of identity theft, the bank has said it’s offering the cardholders a year of free credit-monitoring services.
But how did hackers compromise the UCard servers maintained by JP Morgan Chase? The company has said that normally encrypted records appeared in clear text temporarily while the breach taking place.
Connecticut state Treasurer Denise Nappier said in a statement that she is “dismayed” that it took JPMorgan 2.5 months to communicate the problem.
“They should have picked up the phone immediately and called us. That the company failed to communicate this security breach in a timely manner raises concerns over its culture of compliance and broader governance issues,” Nappier said.
She added that during the two month period between July and September, certain information entered by cardholders on the UCard website, particularly during the process of activating cards and of transferring balances, was subject to unauthorized access. Such information that could have been exposed includes: name, Social Security number, bank account number, card number, date of birth, security answer, password, address, phone number and email address.