NEW YORK and BOSTON -- JPMorgan Chase is warning some 465,000 holders of prepaid cash cards issued by the bank that their personal information may have been accessed by hackers who attacked its network in July.
The cards were issued for corporations to pay employees and for government agencies to issue tax refunds, unemployment compensation and other benefits.
JPMorgan (JPM) said Wednesday it detected that its web servers used by its site www.ucard.chase.com had been breached in the middle of September. It then fixed the issue and reported it to law enforcement.
Bank spokesman Michael Fusco said that in the months since the breach was discovered the bank has been investigating to find out exactly which accounts were involved and what pieces of information could have been taken. He declined to discuss how the attackers breached the bank's network.
Fusco said the bank is notifying the cardholders, who account for about 2 percent of its roughly 25 million UCard users, about the breach because it can't rule out the possibility that their personal information was among the data removed from its servers.
The bank typically keeps the personal information of its customers encrypted, or scrambled, as a security precaution. However, during the course of the breach, %VIRTUAL-article-sponsoredlinks%personal data belonging to those customers had temporarily appeared in plain text in files the computers use to log activity.
The bank believes "a small amount" of data was taken, but not critical personal information such as Social Security numbers, birth dates and email addresses.
Cybercriminals covet such data because it can be used to open bank accounts, obtain credit cards and engage in identity theft. Many states require banks to notify customers if they believe there is any chance that such information may have been taken in a breach.
The bank is also offering the cardholders a year of free credit-monitoring services.
The warning only affects the bank's UCard users, not holders of debit cards, credit cards or prepaid Liquid cards.
Fusco said the bank hasn't found that any funds were stolen as a result of the breach and that it has no evidence that other crimes have been committed. As a result, it isn't issuing replacement cards.
The spokesman declined to identify the government agencies and businesses whose customers it had warned about the breach. Fox 8 News in New Orleans reported on its website that three Louisiana agencies were notified by the bank Wednesday that the personally identifiable information of some state citizens may have been exposed.
State officials couldn't be reached for comment late Wednesday.
The bank said it doesn't know who was behind the attack, though the Secret Service and FBI are investigating the matter.
Businesses and government agencies are increasingly using prepaid cards because they are easier to cash than paper checks.
Yet the vast stores of data behind payment cards of all kinds have created new risks. In 2007 some 41 million credit and debit card numbers from major retailers, including the owner of T.J. Maxx (TJX) stores, were stolen.
In May of this year U.S. prosecutors said a global cybercrime ring had stolen $45 million from banks by hacking into credit card processing firms and withdrawing money from automated teller machines in 27 countries.
Why Your Bank Thinks Someone Stole Your Credit Card
JPMorgan Warns 465,000 Card Users on Data Loss After Cyberattack
One reason why Marquis' gas purchases might have triggered a fraud lockdown? Filling their tank is a common first move for credit card thieves.
"Some of the things they look at are small-dollar transactions at gas stations, followed by an attempt to make a larger purchase," explains Adam Levin of Identity Theft 911.
The idea is that thieves want to confirm that the card actually works before going on a buying spree, so they'll make a small purchase that wouldn't catch the attention of the cardholder. Popular methods include buying gas or making a small donation to charity, so banks have started scrutinizing those transactions.
Of course, it's not a simple matter of buying gas or giving to charity -- if those tasks triggered alerts constantly, no one would do either with a credit card. But Levin points to another possible explanation: Purchases made in a high-crime area are going to be held to a higher standard by the bank.
"It's almost a form of redlining," he says. "If there are certain [neighborhoods] where they've experienced an enormous amount of fraud, then anytime they see a transaction in the neighborhood, it sends an alert."
(Indeed, Erin tells me that one of the gas purchases that triggered an alert took place in a rough part of Detroit, which she visited specifically for the cheap gas.)
People who steal credit cards and credit card numbers usually aren't doing it so they can outfit their home with electronics and appliances. They don't want the actual products they're fraudulently buying; they're just in it to make money. So banks are always on the lookout for purchases of items that can easily be re-sold.
"Anytime a product can be turned around quickly for cash value, those are going to be the items that you would probably assume that, if you were a thief, you would want to get to first," says Karisse Hendrick of the Merchant Risk Council, which helps online merchants cut down on fraud. Levin says electronics are common choices for fraudsters, as are precious metals and jewelry.
Many thieves don't want to go through the rigmarole of buying laptops and jewelry, then selling them online or at pawnshops. They'd much prefer to just turn your stolen card directly into cold, hard cash.
There are a few ways that they can do that, and all of them will raise red flags at your bank or credit union. Using a credit card to buy a pricey gift card or load a bunch of money on a prepaid debit card is a fast way to attract the suspicions of your credit card issuer. Levin adds that some identity thieves also use stolen or cloned credit cards to buy chips at a casino, which they can then cash out (or, if they're feeling lucky, gamble away).
When assessing whether a purchase might be fraudulent, banks aren't just looking at what you bought and where you bought it. They're also asking if it's something you usually buy.
"The issuers know the buying patterns of a cardholder," says Hendrick. "They know the typical dollar amount of transaction and the type of purchase they put on a credit card."
Your bank sees a fairly high percentage of your purchases, so it knows if one is out of character for you. A thrifty individual who suddenly drops $500 on designer clothes should expect to get a call -- or have to make one when the bank flags the transaction. If you rarely travel and your card is suddenly used to purchase a flight to Europe, that's going to raise some red flags.
Speaking of Europe, the other big factor in banks' risk equations is whether you're making a purchase in a new area. I bought a computer just days after moving from Boston to New York, and had to confirm to the bank that I was indeed trying to make the purchase. Levin likewise says that making purchases in two different cities over a short period of time raises suspicions.
"I go from New York to California a lot, and invariably someone will call me [from the bank], " he says. Since one person can't go shopping in New York and California at the same time, any time a bank sees multiple purchases in multiple locations in a short period, it's going to be suspicious.