As we’ve discussed many times before on this blog, data breaches are a big deal. If your private information is leaked, you could suffer the effects of fraud and identity theft for years to come.
And, unfortunately, data breaches are not rare: hackers always find new and innovative ways to get at your information, no matter how secure you may think it is. Usually, companies who know they’ve suffered a data breach can respond only one way: they tell customers to change logins or offer credit monitoring services.
All of which JP Morgan Chase did last week after they discovered a breach in their UCard system last September. But notifying customers after a breach is neither prevention nor cure. The whole situation could have been avoided had JP Morgan Chase used some standard security precautions in the first place.
UCard: Lesser Known Chase Product
If you haven’t heard of Chase’s UCard product, you’re not alone. Unlike the bank’s more common credit cards, debit cards and pre-paid cash cards, UCard is a Benefits transfer tool: UCard holders use the service to receive tax refunds, child support, unemployment, or other government benefits.
According to Reuters, electronic payments through pre-paid cards like UCard are an increasingly popular way to deliver payments, as they’re cheaper to process than paper checks.
Pre-Paid Cards Convenient but Vulnerable
But pre-paid cards like UCard require a significant data trail. And if that trail isn’t properly encrypted, a breach like this one can occur. That’s exactly what happened in this case. Naked Security explains:
Unencrypted data can mean serious trouble for consumer privacy.
Financial transactions need scrupulous auditing, and that means keeping an accurate record somewhere of what happened, and when.
But logging can be a security risk as well as a benefit – you should be encrypting personally identifiable data both at rest (when it is written to disk) and on the move (as it flows across the network).
Somewhere along the line, there were temporary unencrypted text files, with user information written plainly for a hacker to see. This is a major security problem, and one that’s definitely shaken state governments’ faith in Chase.
For now, Chase is maintaining that the data that was leaked was less sensitive: no Social Security numbers or birth dates fell into the hands of the hackers.
What Happens Now?
JP Morgan Chase has notified the 465,000 customers possibly affected by the breach and those customers were offered a year of free credit monitoring. JP Morgan Chase is declining to offer replacement UCards to the affected customers, however, saying there’s no evidence of a crime being committed with the stolen data at present.
Chase is not issuing replacement cards to UCard Customers.
So, why the delay between discovering the breach, and notifying customers?
Well, it seems that part of the issue was figuring out which customers to notify. From Reuters:
Bank spokesman Michael Fusco said that since the breach was discovered, the bank has been trying to find out exactly which accounts were involved and what information may have been compromised. He declined to discuss how the attackers breached the bank’s network.
Hopefully, the no-crimes report is accurate, and this data breach won’t result in identity theft opportunities.
But as electronic payment methods become more popular, the onus is on banks and institutions to make sure encryption is up to snuff.
Do you think a company’s shoddy security has cost you? Let us know.
See Also
Protect Your Child’s Privacy from Back to School Identity Theft
Student Identity Theft: Stanford University Compromised in Massive Data Breach
How To Deal with a Security Breach and Protect Your Private Info
Interesting. Does the Chase spokes-fibber have TWO sets of gums?
The bank says, “No new cards will be offered because less sensitive information was leaked”. Later they admit they do not really knowing which ACCOUNTS, much less what data was stolen. Good going, guess they just Chas-ed me to another institution!