Why Didn’t Chase Tell Customers About Breach, Before It Told Investors?

News stories indicate that while JPM Chase, the nation's biggest bank, informed investors of the breach of up to 83 million customer records, it didn't, and won't, affirmatively reach out to warn actual customers. That's how the big banks roll, but it isn't good for consumer confidence. We discuss data security on NPR's Diane Rehm Show today at 10am ET.

We appear on NPR’s Diane Rehm Show at 10 am (ET) today Tuesday to discuss “Cyber Attacks & The Growing Challenge Of Protecting Personal And Business Data.

Here’s more on the issue:

News stories indicate that while JP Morgan Chase, the nation’s biggest bank, informed investors of the recent breach of up to 83 million customer records, it didn’t affirmatively reach out to warn actual customers. Worse, it doesn’t plan to do so either (CBS Marketwatch). That’s how the big banks roll, but it isn’t good for consumer confidence.

The mega-bank claims that federal standards for breach notification, which purportedly require a threat to certain account-related information, weren’t met by the “mere” breach of names, addresses, phone numbers and email addresses. Top gun state consumer officials, including Illinois Attorney General Lisa Madigan, Connecticut AG George Jepsen and New York Department of Financial Services Superintendent Ben Lawsky are investigating to see whether there’s more to the story and whether the failure to notify violated state laws.

Nevertheless, the JP Morgan Chase breach raises major questions. After all, it is one thing for hackers using tools widely available on the Internet Underground to steal unencrypted credit card numbers from retailers ranging from Target to Home Depot, but quite another for them to scale the walls of the nation’s biggest bank (and possibly others). From the Washington Post story today, “JPMorgan breach raises alarm about safety of financial system,” by reporter Danielle Douglas:

In the case of JPMorgan, hackers got access to a massive number of accounts — 83 million households and businesses. But security experts and officials are more concerned that the attackers lingered in the system and returned at least five times to see how far they could penetrate the financial giant’s internal networks, which are generally thought to be among the most secure in corporate America, said people with knowledge of the attack who were not authorized to speak publicly. That behavior indicates something more nefarious than a simple robbery. Ultimately, the hackers appeared to cull only e-mail and physical addresses of customers, the bank has said. But the attack has raised alarms in Washington, New York and beyond, given Wall Street’s critical place in the U.S. economy.

In the short run, consumers of any bank or retailer — from JP Morgan Chase to Target or Home Depot  — need to watch out for phishing campaigns. Phishing is a form of social engineering where bad guys that have a bit of info about you use it to try and trick you into giving out more. The retailer hacks could result in current account fraud or phishing scams but not identity theft. The JP Morgan Chase hack, if what they tell us is true about the limited information obtained, can result only in a phishing attack, where the bad guy seeks additional information needed to commit either current account fraud or identity theft.

Watch for suspicious emails or phonecalls that appear to be legitimate. The emailer knows your name and that you have a Chase account, but that is all. The caller may know your credit card number, but not your password. He wants your social security number. Don’t click links in emails; don’t give out information on the phone. Separately hand-type a bank’s known url and go to its webpage; separately, hang up the phone and call the number on your bankcard. More tips on your legal rights and protecting your information is available here in this blog post and this news release. We remind you that the only way to stop new account identity theft is to use a security freeze. We also point out in detail why the often-provided sop of “credit monitoring” is useless against current account fraud.

In the long run, we need better security in the payments marketplace. Banks and merchants have announced a slow-changeover from long-obsolete magnetic stripe credit and debit cards to the Chip, or EMV, system long used in Europe. A tiny number of consumers already have had their old cards replaced with Chip cards, which convert your account number to a one-time-use number, which is useless to bad guys who hack a merchant system. A better solution would be to convert fully to Chip-and-PIN cards, which also require a PIN, or password. The Chip ensures that the card has not been cloned; the PIN ensures that the card has not been stolen.

But Chip-and-PIN only works in the real world, at retailer point of sale. It does not address “card not present” (CNP) transactions, such as mobile and Internet payments. The new Apple Pay/Apple wallet and other schemes using “tokenization” (and, in the case of some Apple phones, even fingerprint verification) offer more robust and more promising CNP protections. But it is important to understand that this fight is like the old Mad Magazine “spy-vs-spy” Cold War cartoons, with increasing escalation each time a new cyber-weapon or cyber-protection is brought to bear. When we build a 10-foot wall, the bad guys go and get an 11-foot ladder.

Banks, retailers, colleges, other large institutions and government agencies have all been breached. Solutions that protect consumer privacy, accountholder assets, taxpayers, national security and consumer confidence in the financial system require a joint effort. Retailers need to improve security and install Chip readers, too, but banks need to dump the mag stripe cards faster than planned, while going beyond the mere Chip regime.

We argue that Congress should not lock itself in to some proprietary product, such as “Chip and signature,” favored by some elements of industry (the banks and card networks that control the payment system), but should instead lean toward requiring the use of best-available technology-neutral but technology forcing security standards. We also discuss the need to use careful solutions that also improve consumer legal protections (no matter what kind of card or device the consumer uses, debit or credit card or new device) and also protect the rights of states to continue as privacy leaders, in our recent Congressional data breach testimony


Ed Mierzwinski

Senior Director, Federal Consumer Program, PIRG

Ed oversees U.S. PIRG’s federal consumer program, helping to lead national efforts to improve consumer credit reporting laws, identity theft protections, product safety regulations and more. Ed is co-founder and continuing leader of the coalition, Americans For Financial Reform, which fought for the Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010, including as its centerpiece the Consumer Financial Protection Bureau. He was awarded the Consumer Federation of America's Esther Peterson Consumer Service Award in 2006, Privacy International's Brandeis Award in 2003, and numerous annual "Top Lobbyist" awards from The Hill and other outlets. Ed lives in Virginia, and on weekends he enjoys biking with friends on the many local bicycle trails.

Find Out More