(Bloomberg) -- JPMorgan Chase & Co. was pressed for more evidence by a group of states probing a data breach that jeopardized millions of customer accounts last year, including whether any of the compromised information has been connected with fraud.

The group of 19 attorneys general are seeking more information by Jan. 23, including a full timeline of events that led to discovery of the breach, “any vulnerability exploited in connection” and the company’s efforts to probe and mitigate the damages, according to a letter dated Jan. 8, which was obtained by Bloomberg News.

The request comes as President Barack Obama on Jan. 13 called for new laws requiring companies to disclose instances when they’ve been hacked and preventing companies from profiting from student data. Obama’s proposal followed breaches at Sony Corp.’s entertainment unit and Target Corp.

“This incident raises concerns about the security of our states’ residents’ private information in the hands of JPMC,” the group said in the letter. “Further, critical facts about the intrusion remain unclear, including details concerning the cause of the breach and the nature of any procedures adopted or contemplated to prevent further breaches.”

Trish Wexler, a spokeswoman for JPMorgan Chase, declined to comment on the letter by phone.

N.Y. Proposal

New York’s Eric Schneiderman, one of the attorneys general demanding more information from JPMorgan, said he is planning to propose a bill that would expand the types of information covered by the state’s privacy breach notification requirements.

Currently, New York’s requirements only apply to certain combinations of information such as names and Social Security numbers. Most state laws governing notification of breaches contain similar restrictive provisions, according to the National Conference of State Legislatures.

Schneiderman said in a statement that if passed, the new law would be “the strongest” and “most comprehensive in the nation.”

JPMorgan, the biggest U.S. bank, said in October that a data breach by hackers affected 76 million households and 7 million small businesses, with customer names, addresses, phone numbers and e-mail details taken.

The New York Times reported on the letter earlier.

Passwords, Customers

The attorneys general asked for information about JPMorgan’s customers subject to the breach and why the bank said there was no evidence that passwords or Social Security numbers were compromised.

The attorney generals also asked for the number of customers in each of the 19 states affected by the breach and whether the company was aware of any fraudulent activity resulting from it.

The group also sought information on JPMorgan’s security protocols, including such things as the use of two-factor authentication for access to the servers, which requires two separate ways of identifying a user.

JPMorgan shares fell 3.5 percent to $56.81 on Wednesday in New York, the biggest decline in almost three months, after the company reported the lowest fixed-income trading revenue since the financial crisis and legal costs that were about twice as high as some analysts estimated.

To contact the reporter on this story: Chris Dolmetsch in New York State Supreme Court in Manhattan at

cdolmetsch@bloomberg.net

To contact the editors responsible for this story: Michael Hytha at mhytha@bloomberg.net David E. Rovella, Joe Schneider