19 States Seek Data on Damages from JPMorgan Breach

January 15, 2015 by

JPMorgan Chase & Co. was pressed for more evidence by a group of states probing a data breach that jeopardized millions of customer accounts last year, including whether any of the compromised information has been connected with fraud.

The group of 19 attorneys general are seeking more information by Jan. 23, including a full timeline of events that led to discovery of the breach, “any vulnerability exploited in connection” and the company’s efforts to probe and mitigate the damages, according to a letter dated Jan. 8, which was obtained by Bloomberg News.

The request comes as President Barack Obama on Jan. 13 called for new laws requiring companies to disclose instances when they’ve been hacked and preventing companies from profiting from student data. Obama’s proposal followed breaches at Sony Corp.’s entertainment unit and Target Corp.

“This incident raises concerns about the security of our states’ residents’ private information in the hands of JPMC,” the group said in the letter. “Further, critical facts about the intrusion remain unclear, including details concerning the cause of the breach and the nature of any procedures adopted or contemplated to prevent further breaches.”

Trish Wexler, a spokeswoman for JPMorgan Chase, declined to comment on the letter by phone.

JPMorgan, the biggest U.S. bank, said in October that a data breach by hackers affected 76 million households and 7 million small businesses, with customer names, addresses, phone numbers and e-mail details taken.

The New York Times reported on the letter earlier.

Related: Hypothetically, Here’s How to Respond to a Data Breach

The attorneys general asked for information about JPMorgan’s customers subject to the breach and why the bank said there was no evidence that passwords or Social Security numbers were compromised.

The attorney generals also asked for the number of customers in each of the 19 states affected by the breach and whether the company was aware of any fraudulent activity resulting from it.

The group also sought information on JPMorgan’s security protocols, including such things as the use of two-factor authentication for access to the servers, which requires two separate ways of identifying a user.

JPMorgan shares fell 3.5 percent to $56.81 in New York, the biggest decline in almost three months, after the company reported the lowest fixed-income trading revenue since the financial crisis and legal costs that were about twice as high as some analysts estimated.

–With assistance from Keri Geiger in New York

Related: