And, unfortunately, data breaches are not rare: hackers always find new and innovative ways to get at your information, no matter how secure you may think it is. Usually, companies who know they’ve suffered a data breach can respond only one way: they tell customers to change logins or offer credit monitoring services.
All of which JP Morgan Chase did last week after they discovered a breach in their UCard system last September. But notifying customers after a breach is neither prevention nor cure. The whole situation could have been avoided had JP Morgan Chase used some standard security precautions in the first place.
UCard: Lesser Known Chase Product
If you haven’t heard of Chase’s UCard product, you’re not alone. Unlike the bank’s more common credit cards, debit cards and pre-paid cash cards, UCard is a Benefits transfer tool: UCard holders use the service to receive tax refunds, child support, unemployment, or other government benefits.
According to Reuters, electronic payments through pre-paid cards like UCard are an increasingly popular way to deliver payments, as they’re cheaper to process than paper checks.
Pre-Paid Cards Convenient but Vulnerable
But pre-paid cards like UCard require a significant data trail. And if that trail isn’t properly encrypted, a breach like this one can occur. That’s exactly what happened in this case. Naked Security explains:
Financial transactions need scrupulous auditing, and that means keeping an accurate record somewhere of what happened, and when.
But logging can be a security risk as well as a benefit – you should be encrypting personally identifiable data both at rest (when it is written to disk) and on the move (as it flows across the network).
Somewhere along the line, there were temporary unencrypted text files, with user information written plainly for a hacker to see. This is a major security problem, and one that’s definitely shaken state governments’ faith in Chase.
For now, Chase is maintaining that the data that was leaked was less sensitive: no Social Security numbers or birth dates fell into the hands of the hackers.
What Happens Now?
JP Morgan Chase has notified the 465,000 customers possibly affected by the breach and those customers were offered a year of free credit monitoring. JP Morgan Chase is declining to offer replacement UCards to the affected customers, however, saying there’s no evidence of a crime being committed with the stolen data at present.
So, why the delay between discovering the breach, and notifying customers?
Well, it seems that part of the issue was figuring out which customers to notify. From Reuters:
Bank spokesman Michael Fusco said that since the breach was discovered, the bank has been trying to find out exactly which accounts were involved and what information may have been compromised. He declined to discuss how the attackers breached the bank’s network.
Hopefully, the no-crimes report is accurate, and this data breach won’t result in identity theft opportunities.
But as electronic payment methods become more popular, the onus is on banks and institutions to make sure encryption is up to snuff.
Do you think a company’s shoddy security has cost you? Let us know.