NEW YORK/BOSTON (REUTERS) - JPMorgan Chase & Co is warning some 465,000 holders of prepaid cash cards issued by the bank that their personal information may have been accessed by hackers who attacked its network in July.
The cards were issued for corporations to pay employees and for government agencies to issue tax refunds, unemployment compensation and other benefits.
JPMorgan said on Wednesday it detected that its web servers used by its site www.ucard.chase.com had been breached in the middle of September. It then fixed the issue and reported it to law enforcement.
Bank spokesman Michael Fusco said that in the months since the breach was discovered the bank has been investigating to find out exactly which accounts were involved and what pieces of information could have been taken. He declined to discuss how the attackers breached the bank's network.
Fusco said the bank is notifying the cardholders, who account for about 2 percent of its roughly 25 million UCard users, about the breach because it cannot rule out the possibility that their personal information was among the data removed from its servers.
The bank typically keeps the personal information of its customers encrypted, or scrambled, as a security precaution. However, during the course of the breach, personal data belonging to those customers had temporarily appeared in plain text in files the computers use to log activity.
The spokesman declined to identify the government agencies and businesses whose customers it had warned about the breach.
The bank said it does not know who was behind the attack, though the Secret Service and FBI are investigating the matter.
Businesses and government agencies are increasingly using prepaid cards because they are easier to cash than paper checks. Yet the vast stores of data behind payment cards of all kinds have created new risks. In 2007 some 41 million credit and debit card numbers from major retailers, including the owner of T.J. Maxx stores, were stolen.
In May of this year U.S. prosecutors said a global cybercrime ring had stolen US$45 million from banks by hacking into credit card processing firms and withdrawing money from automated teller machines in 27 countries.