A group of state attorneys general who are investigating a computer systems breach last summer at JPMorgan Chase, which potentially exposed some information for 83 million consumers and small businesses, wants the bank to explain how it can be certain no sensitive information was compromised.
The group, which includes more than 15 attorneys general and is led by those from Illinois and Connecticut, sent a letter last Thursday to JPMorgan and its outside lawyers seeking more details about the nature of the breach and what measures the bank was taking to prevent a similar incident.
JPMorgan has said the breach, which went undetected for several months, only allowed the hackers to gain access to customer phone numbers, addresses and email addresses. More sensitive information – like financial data, Social Security numbers, email passwords and user identification combinations – remained safe, the bank said.
But the group said much about the breach remained a mystery.
“Critical facts about the intrusion remain unclear, including details concerning the cause of the breach and the nature of any procedures adopted or contemplated to prevent future breaches,” said the letter, a copy of which was obtained by The New York Times.
The letter was sent to Zoe Strickland, JPMorgan’s global chief privacy officer, and outside lawyers working for the bank at WilmerHale and Hunton & Williams.
The group of attorneys general also requested information about the number of consumers in each state affected by the breach, a “complete timeline of events leading up to the discovery the breach” and copies of any internal or third-party investigative reports compiled after the breach’s discovery.
JPMorgan, which has said it spends about $250 million a year on cybersecurity, was given until Jan. 23 to comply with the request for information. The bank was directed to send its response to lawyers working in the privacy groups at the offices of Lisa Madigan, the Illinois attorney general, and George Jepsen, her counterpart in Connecticut.
A bank spokeswoman declined to comment on the letter.
The breach at JPMorgan took place after the still unidentified hackers stole the login credentials for a JPMorgan employee and then managed to gain access to a server the bank apparently neglected to upgrade with a so-called two-factor authentication process. Double authentication schemes are commonly used in the banking industry and usually require a second one-time password to gain access to a protected system.
Once inside JPMorgan’s system, the hackers managed to gain high-level access to more than 90 servers. But the bank has said the hackers were stopped before they could retrieve private customer financial information.