More than 451,000 individuals were affected by a data breach that occurred at J.P. Morgan Chase Bank, the company disclosed in a regulatory filing with the Office of the Maine Attorney General on April 29.
The bank said that a software issue in a vendor-provided system allowed users to access retirement plan participants’ records that they were not entitled to see.
The “incorrect entitlements” were limited to three authorized system users who as part of their job regularly access this type of information and have an obligation to safekeep it, J.P. Morgan said in the filing.
The three users were employed by J.P. Morgan customers or their agents. From Aug. 26, 2021, through Feb. 23, 2024, they downloaded a total of 12 reports that included participant names, social security numbers, mailing addresses, payment and deduction amounts as well as bank routing and account numbers if direct deposit was used.
Once the bank became aware of the software issue on Feb. 23, it corrected the users’ access issue and tested and applied a software update, according to the filing.
“There is no indication of data misuse,” a J.P. Morgan spokesperson said in a statement, adding that the breach was not part of a cyberattack. “We promptly addressed the issue and applied a software update.”
The bank is offering individuals affected by the breach two years of identity theft-protection services through Experian.
“We are taking precautionary measures by offering credit monitoring services at no cost and making our call center available to address participant questions,” the J.P. Morgan spokeswoman said.
