December 06, 2013

When consumers lose their credit or debit card, they're expected to notify the card issuer in a timely fashion to minimize any related fraud or other lasting damage. But in the case of JPMorgan Chase, which this week began warning that hackers may have obtained prepaid card data and personal information for 465,000 of its cardholders, the same notification rules don't appear to hold true.

While the breach of JPMorgan Chase bank's systems occurred in July and the bank detected it in the middle of September, bank officials waited two and a half months before they began warning affected consumers.

All told, the July breach reportedly affected 2% of the bank's 25 million users of UCard, which is a prepaid card. Bank officials said that immediately after detecting the breach, they fixed the problem that had been exploited by hackers and notified both the FBI and Secret Service about the breach. They also said that information relating to the bank's debit card, credit card, and prepaid Liquid card holders wasn't compromised.

State officials in Connecticut this week said that the stolen information may have included names, social security numbers, bank account numbers, card numbers, dates of birth, security answers, passwords, addresses, and phone numbers. Such information, of course, would be useful for anyone seeking to commit identity theft.

According to some news reports, however, bank officials this week said that no personal information was stolen during the hack attack. Bank officials didn't immediately respond to an emailed request for clarification, nor did they respond to questions about how attackers gained access to the UCard systems or why the bank chose to wait so long before warning consumers. But according to news reports, while the stolen data was normally encrypted, it was being temporarily stored in plaintext format as a result of automated logging activity.

Read the full story on InformationWeek