In a recent regulatory filing with the Office of the Maine Attorney General on April 29, J.P. Morgan Chase Bank revealed that a staggering 451,000 individuals were impacted by a vendor-provided system data breach.
According to the bank, a software issue in this system erroneously granted access to retirement plan participants’ records to users who should not have had such privileges. The breach exposed sensitive personal information, including names, social security numbers, mailing addresses, payment and deduction details, as well as bank routing and account numbers for those using direct deposit.
Limited Access, but Potential for Misuse
J.P. Morgan stated that the “incorrect entitlements” were limited to three authorized system users who, as part of their job responsibilities, regularly access this type of information and are obligated to safeguard it. These three users were employed by J.P. Morgan customers or their agents.
Over the period from August 26, 2021, to February 23, 2024, these individuals downloaded a total of 12 reports containing the sensitive data of retirement plan participants.
Prompt Action and Identity Theft Protection
Upon becoming aware of the software issue on February 23, J.P. Morgan promptly corrected the users’ access issue, tested it, and applied a software update to resolve the problem. A spokesperson for the bank emphasized, “There is no indication of data misuse,” and clarified that the breach was not part of a cyberattack.
As a precautionary measure, J.P. Morgan is offering two years of identity theft protection services through Experian to all affected individuals. The bank has also made its call center available to address participants’ questions and concerns regarding the data breach.