On Oct. 2, JPMorgan Chase publicly acknowledged in a U.S Securities and Exchange Commission (SEC) filing that it had been breached. Reports about a possible data breach at JPMorgan Chase first emerged at the end of August, but it took more than a month for the bank to make a public disclosure on the issue.
The SEC filing is brief and contains few details on the attack. As of Oct. 3, JPMorgan Chase has not publicly posted information about the data breach for its customers on its major sites, including http://www.jpmorganchase.com/, http://www.jpmorgan.com/ or chase.com.
According to the SEC filing, 76 million households are potentially impacted by the data breach, and there is little information about the breach that is available for consumers. Unlike Target, Home Depot and other recently breached organizations, JPMorgan did not immediately set up some kind of FAQ (frequently asked questions) page on the incident that users can rapidly find.
That surely seems a bit odd. If consumers are at risk, shouldn’t they be properly informed?
JPMorgan Chase states in the 8-K filing that it is unaware of any fraudulent activity that has occurred as a result of the data breach. There is also no indication that usernames and passwords were compromised in the breach. What was breached is user contact information including name, email, address and phone number.
While other organizations that have recently been breached have offered their customers free credit monitoring, JPMorgan Chase is placing the onus on its customers to detect and report on possible fraudulent transactions.
“JPMorgan Chase customers are not liable for unauthorized transactions on their account that they promptly alert the firm to,” the 8-K filing states.
Given that the bank has not seen an increase in fraudulent transactions and the fact that usernames and passwords were not stolen, it’s not all that odd that credit monitoring is not being made available.
That said, there is still significant risk here, both to consumers and to JPMorgan Chase itself.
Attackers now have a large database of 76 million households with accurate names, addresses and emails of bank customers. With that information in hand, all manner of identity fraud, phishing and other social engineering attacks might be possible. Imagine if you will, a phishing campaign that warns bank customers about the recent data breach, asking users to log in to their accounts. That would not be good and could potentially trick naive users into being exploited.
For JPMorgan Chase, the risk is now also about trust. In the data breach at eBay earlier this year, the online auction site also noted that nonfinancial information was stolen. Yet that breach had a financial cost to eBay. During eBay’s second quarter fiscal 2014 earnings call, Bob Swan, the company’s chief financial officer, noted that there was a decline in operating margin for eBay, partially driven by expenses related to the cyber-attack.
That brings us to the issue of Oct. 14. You see, on that date, JPMorgan Chase is set to reveal is third-quarter 2014 financial results. No doubt, analysts will ask questions of the bank during the call, and no doubt, there will be some additional commentary provided at the time. Simply put, if the data breach has a material impact on JPMorgan Chase’s operations, the bank will be required to disclose it.
In the Target data breach, the company came clean on its data breach costs during its second-quarter fiscal 2014 earnings call. Target executives reported that the cost of the data breach was $148 million.
Whether or not JPMorgan Chase reveals more information about the data breach incident before Oct. 14, remains to be seen. What is certain at this point is that within the next two weeks, more details on this incident will be publicly revealed.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.