JP Morgan recently disclosed a data security incident that compromised the personal and financial information of over 450,000 individuals. The breach stemmed from a software issue in a vendor-supplied system used for Benefit Payment Services, which improperly allowed access to sensitive data to unauthorized employees. Discovered in February 2024 but dating back to incidents starting in August 2021, the issue led to unauthorized views of information such as names, addresses, social security numbers, bank routing, and account numbers, primarily affecting retirement plan participants managed by JP Morgan.
The breach was detailed in a notification letter to the Office of the Maine Attorney General, revealing that the unauthorized access was facilitated by three system users running reports they were not entitled to handle. These individuals, two of whom were employees from a client’s employee benefit plan administration and one hired directly by a JP Morgan client, accessed detailed financial data potentially including account numbers and security codes. This unauthorized access extended over several instances, with a total of 12 reports run between August 2021 and February 2024.
In response to the discovery, JP Morgan has taken steps to mitigate the fallout from this breach. The firm has since addressed the access issue and applied updates to the software to prevent similar incidents in the future. They are also monitoring backup files for any possible data restoration, where deletion from such files is not feasible. Additionally, JP Morgan is offering two years of free credit monitoring through Experian’s IdentityWorks to support those affected.
This incident underscores the persistent cybersecurity risks faced by major financial institutions, highlighting the challenges of safeguarding sensitive information. JP Morgan, a leading global financial services firm, remains a prime target for cybersecurity threats, evidenced not only by this incident but also by increased hacking attempts in recent years. The bank has taken steps to enhance security and reassure customers, although the recurrence of such breaches emphasizes the ongoing vulnerability of personal data within the financial sector.