Chase Breach: Prosecutors Demand DetailsState Attorneys General Raise Concerns About Incident
A group of about 20 state attorneys general has sent a letter to JPMorgan Chase and its outside counsel demanding the bank reveal far more details about its breach last year that exposed information related to 76 million households and 7 million small businesses.
For example, the prosecutors want to know the basis for Chase's statement that there is "no evidence that account numbers, passwords, user IDs, dates of birth or Social Security numbers were compromised during this attack."
The letter, which was sent Jan. 8, states: "This incident raises concerns about the security of our states' residents' private information in the hands of JPM. Further, critical facts about the intrusion remain unclear, including details concerning the cause of the breach and the nature of any procedures adopted or contemplated to prevent future breaches."
A spokesperson for the Connecticut Attorney General's Office, which provided a redacted copy of the letter to Information Security Media Group, declined to comment on the letter, and would not disclose the other states involved in the investigation, beyond Connecticut and Illinois. Some states have laws prohibiting disclosure of investigations, the spokesperson explained.
The multi-state inquiry follows news that the breach at Chase might have been prevented if the bank's information security team hadn't failed to upgrade a sensitive server to require two-factor authentication controls (see: Chase Attackers Exploited Basic Flaws).
In addition to the states investigating Chase, Rep. Elijah E. Cummings, D-Md., has requested a hearing on the breach.
Breach Details Sought
In addition to seeking details on why Chase said there's no evidence sensitive details, such as account numbers or passwords, were taken, the prosecutors are asking Chase to provide:
- The facts and circumstances of the breach, including a complete timeline of events leading up to the discovery of the breach, any vulnerability exploited in connection with the breach and JPMC's efforts to investigate and mitigate thereafter;
- The information about consumers maintained by Chase;
- The information about consumers subject to the breach;
- The number of consumers affected by the breach for each state participating in the inquiry;
- Whether Chase is aware of any fraudulent activity regarding any compromised information;
- The technological, administrative and physical safeguards that were in place to protect the information compromised in this breach from unauthorized access or acquisition;
- Any additional safeguards that have been or are to be taken in an effort to prevent future breaches;
- A copy of any and all compliance materials, both public and non-public, regarding compliance with Gramm-Leach-Bliley;
- A copy of Chase's privacy policies;
- A copy of any internal or third party investigative report or audit performed by or for Chase relative to the breach.
Chase has until Jan. 23 to provide the information being requested by the attorneys general. A spokesperson for Chase declined to comment on the request.
Sketchy Information Provided
On Oct. 2, Chase confirmed the breach in a U.S. Securities and Exchange Commission Form 8-K. The bank revealed that information compromised in the attack included customers' contact information, including names, addresses, phone numbers and e-mail addresses.
The breach affected customers who use these Web and mobile services: Chase.com, JPMorganOnline, Chase Mobile and JPMorgan Mobile, the bank says.
Internal Chase data - used in connection with providing or offering services to customers - also was compromised, the company says in a statement posted on its website.