JPMorgan Chase and Co. revealed this week that between July and September, hackers accessed servers for its UCard Center website, which supports prepaid cards used for payroll and government benefits. The bank says the breach may have exposed information, including card numbers, for 465,000 of its prepaid card customers.
So far, Chase says there has been no evidence of fraud linked to those compromised accounts.
Chase declined to comment about how the attackers compromised the servers. The bank also declined to comment about whether personal information linked to UCard accounts was viewed in plain text during the breach, as Reuters reported.
Chase is not reissuing cards, but accountholders impacted by the breach have been advised to monitor their accounts for fraudulent or suspicious activity, says Chase spokesman Michael Fusco. Chase also is offering free credit monitoring for one year to those affected.
Roughly 2 percent of Chase's 25 million UCard users were likely affected by the breach, Fusco says. In addition to card numbers, other personally identifiable information about some of the prepaid cardholders may have been exposed, he acknowledges, although Chase does not believe Social Security numbers or dates of birth were exposed.
"The personal information of some cardholders in our corporate prepaid and government benefits programs may have been viewed improperly on J.P. Morgan servers that support our UCard Center website," Fusco says.
Only cardholders who used the UCard Center website between mid-July and mid-September run the risk of possible exposure, he says.
"When we detected this issue, our first priority was to protect our systems, cardholders' data and accounts," he adds. After an internal investigation to determine what information and accounts may have been exposed, Chase began notifying impacted customers, Fusco says. The breach is still under investigation.
Other Prepaid Account Breaches
In another recent breach incident that targeted prepaid accounts, cyberthieves breached accounts managed by the National Bank of Ras Al-Khaimah PSC, also known as RAKBANK, and Bank Muscat, both located in the Middle East (see New Arrests in $45 Million ATM Cash-Out).
The card details were stolen during two separate attacks, federal authorities say. The first attack, on Dec. 22, 2012, took aim at an unnamed card processor used by RAKBANK. After breaching the processor, fraudsters created fake ATM/debit cards encoded with the prepaid card numbers and then made more than 4,500 fraudulent ATM withdrawals across 20 countries totaling $5 million, investigators say.
In the second attack, which hit Feb. 19-20, 2013, hackers targeted Bank Muscat and then successfully withdrew $40 million from ATMs in 24 countries over a 10-hour period, federal authorities say.
Experts have suggested third-party security vulnerabilities, such as the one exploited at RAKBANK's processor, are often to blame for many of these types of breaches. In the Chase prepaid attack, however, no outside party was affiliated with the UCard program, Fusco says.
Attackers Target PII
Michael Versace, director of cybersecurity and big data risk for the consultancy IDC, says more cyber-attackers are hitting targets that give them access to personal information, such as e-mail address, passwords and address, which can be used to open accounts and compromise identities.
Common security strategies and standards, such as the Payment Card Industry Data Security Standard, have failed to keep up with the sophistication of today's cyber-attacks, Versace says.
Online identities are at greater risk today than ever before, Versace says, pointing to an attack revealed this week that compromised some 2 million passwords and credentials for Facebook and other social networking sites.
"Collectively, the events just of this week suggest a failure to address the real systemic risk in the digital identity world," he says.