JPMorgan Chase today revealed details of a cyber-attack that was first reported in August. In an 8-K U.S. Securities and Exchange Commission (SEC) filing, JPMorgan revealed that 76 million households and an additional 7 million small businesses were affected by the data compromise.
Although the bank admits it was breached, it claims that user information including account numbers, passwords and Social Security numbers were not stolen in the attack. Additionally, JPMorgan asserts that it is not aware of any customer fraud event related to the data breach.
So what actually was compromised?
"User contact information—name, address, phone number and email address—and internal JPMorgan Chase information relating to such users have been compromised," the 8-K filing states.
JPMorgan Chase also emphasized in its filing that even though it is not currently aware of any fraud activities, customers are not liable for unauthorized transactions—that is, if a customer promptly alerts the bank to any issues that are noticed.
JPMorgan also asserts that it "continues to vigilantly monitor the situation and is continuing to investigate the matter." Additionally, the bank is working with U.S. government agencies that are investigating the incident.
The 8-K filing comes on the same day that reports came out alleging that a second attack took place against JPMorgan Chase. JPMorgan has denied that the reports of the second attack are, in fact, accurate.
Beyond the SEC filing, JPMorgan Chase has stated nothing publicly about the hacking incident. A report in the Wall Street Journal, citing people familiar with the matter, indicates that attackers hit the servers that contain contact information for jpmorgan.com and chase.com. According to the report, the attack occurred in June and August and initially went unnoticed by the bank.
The report also alleges that the root cause of the exploit was by way of a JPMorgan employee's computer, which led the bank to reset the password of the bank's staff.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.