Data breach at J.P. Morgan Chase exposes records of 451,000 retirement savers

In Data Breach News, News
May 14, 2024
Data breach at J.P. Morgan Chase exposes records of 451,000 retirement savers

Not every big breach these days is a cyberattack. Sometimes it is just human error. Pensions & Investments recently reported that more than 451,000 people were affected by an incident that occurred at J.P. Morgan Chase Bank.

The breach was disclosed to the Maine Attorney General’s office on April 29.

The bank, which is a benefit payments agent for clients’ plans, disclosed that on February 26, 2024, they discovered a software issue in a vendor-provided system that supports our Benefit Payment Services product. The vendor was not named.

In certain conditions, the software could allow authorized system users to access retirement plan participants’ records that they were not entitled to see. We determined that the incorrect entitlements were limited to three authorized system users who as a part of their job regularly access this type of information and have an obligation to safekeep it. Two of the users are employees of employee benefit plan administrators hired by J.P. Morgan clients. The third user was an employee of a J.P. Morgan client. One of these users self-reported the issue to us. We promptly addressed the access issue and confirmed that the users’ access had been corrected. We have also tested and applied a software update.

The users downloaded a total of twelve reports, from August 26, 2021, through February 23, 2024, that included participant names, social security numbers, mailing address, payment and deduction amounts, and where direct deposit is used, bank routing and account numbers. We confirmed that the users did not have the ability to make changes to participants’ records. The employers of all three individuals have reported deletion of the data from active drives and are monitoring backup files for any restoration where deletion from such backup files is not possible.

At least one lawsuit has already been filed as a result of the breach. A former Long Island Railroad employee whose retirement account is administered by J.P. Morgan, alleges that his and other participants’ personally identifiable information (PII) was compromised and unlawfully accessed due to the breach.