JPMorgan Chase & Co., the biggest U.S. bank, said a previously disclosed data breach affected 76 million households and 7 million small businesses.
Customer names, addresses, phone numbers and e-mail addresses were taken, the New York-based bank said today in a regulatory filing. Hackers also obtained internal data identifying customers by category, such as whether they are clients of the private-bank, mortgage, auto or credit-card divisions, said a person briefed on the matter.
The breach affected anyone who visited the company’s websites, including Chase.com, or used its mobile app, said the person, who requested anonymity because that information wasn’t publicly disclosed. Some of those affected by the incursion are former clients of JPMorgan, which currently has 65 million customers and reaches half of all U.S. households, the person said.
The bank, led by Chief Executive Officer Jamie Dimon, hasn’t detected “any unusual customer fraud” related to the attack, and clients aren’t liable for unauthorized transactions that are promptly reported to the company, according to the filing.
“There is no evidence that account information for such affected customers -– account numbers, passwords, user IDs, dates of birth or Social Security numbers –- was compromised during this attack,” the company said.
The number of households affected by the attack on JPMorgan compares with the 145 million personal records taken earlier this year in a breach of EBay Inc. and last year’s attack on retailer Target Corp., which affected 110 million.
JPMorgan shares fell 0.4 percent to $58.58 at 6:19 p.m. in extended trading in New York after the firm announced the scope of the breach. The stock gained less than 1 percent this year through the close of regular trading today.
The attack on the lender, which is being probed by the Federal Bureau of Investigation and other agencies, started in June at the digital equivalent of the company’s front door, exploiting an overlooked flaw in one of its websites, two people familiar with the bank’s investigation have said.
The hackers unleashed malicious programs designed to penetrate the corporate network, the people said. With sophisticated tools, the intruders reached deep into the bank’s infrastructure, siphoning gigabytes of information, until mid-August.
Only then did a JPMorgan team conducting a routine scan trigger an alarm. They discovered a breach that investigators believe originated in Russia, the people said.
Government officials and security specialists have long warned of the possibility of cyber disruptions in the financial system and other essential services and utilities. Those concerns are heightened in times of conflict.
Russia’s annexation of the Crimean peninsula touched off a wave of sanctions in March that have hurt trade and threaten to send President Vladimir Putin’s economy into recession. Tensions mounted as the conflict expanded beyond Crimea and as the U.S. and Europe deepened their protests of Russia’s actions.
Dmitry Peskov, a spokesman for Putin, previously dismissed the notion that Russia was behind the JPMorgan attack as “nonsense.”