Security Breach: JP Morgan UCards Hacked & User Data Stolen
The Pennsylvania Treasury Department (PTD) announced that hackers have compromised digital security of the JP Morgan Chase UCard Center and extracted personal information about residents that receive unemployment and worker’s compensation benefits.
The attack happened last July and involved the UCards issued to corporations to pay employee paychecks, monies for government agencies issued for tax refunds; as well as unemployment benefits.
More than 400,000 customers were affected by the breach.
The UCard website itself was breached just last September and was reported to law enforcement.
Michael Fusco, spokesman for JPM said : “Since the breach was discovered, the bank has been trying to find out exactly which accounts were involved and what information may have been compromised. The bank was notifying the cardholders, who account for about 2 percent of its roughly 25 million UCard users, about the breach because it couldn’t rule out the possibility that their personal information was among the data removed from its servers.”
Personal information about customers is kept in encrypted areas; however during the hack, this information was available in “plain text” in files easily accessed in activity logs.
JPM claims only a “small amount” of data was extracted and it did not contain customer social security numbers, birth dates or email addresses.
However, they are offering those cardholders a year of free credit-monitoring services.
Fusco explained: “The bank had not found that any funds were stolen as a result of the breach and that it had no evidence that other crimes have been committed. As a result, it is not issuing replacement cards.”
Trustwave, a security firm, released a report showing that hackers extracted usernames and passwords from an estimated 2 million users with keylogging software.
This software mirrors login credentials for websites and siphons information from proxy servers.
The server involved was traced to the Netherlands and had breached websites such as Facebook, Yahoo, Google+, Gmail, YouTube, Twitter, LinkedIn, ADP and Odnoklassniki.
Goldenshores Technologies (GST) is responsible for the Brightest Flashlight app that has been accused by the US Federal Trade Commission (FTC) for mining user data and selling location information.
The FTC said “tens of million” Android users were affected with this app that collected data such as location of the device and the device’s ID which was sold to third parties.
Jessica Rich, director of the FTC Bureau of Consumer Protection (BCP) said: “When consumers are given a real, informed choice, they can decide for themselves whether the benefit of a service is worth the information they must share to use it. But this flashlight app left them in the dark about how their information was going to be used.”
GST told their customers an annotated version of their dealings to keep users from complaining. They also ignored requests from users to not sell their information to other corporations.