Mega-bank JPMorgan Chase has admitted to suffering a major data breach that has been rumored since August, saying that as many as 76 million households and 7 million small businesses have been affected.
The bank, which has never discussed the breach publicly before, made the disclosure in a filing with the US Securities and Exchange Commission on Thursday, as required by finance law.
Attackers made off with names, addresses, phone numbers, email addresses, and "internal JPMorgan Chase information" for millions of the bank's customers, the report admits, although it claims no login information – such as account numbers, passwords, user IDs, dates of birth, or Social Security numbers – was compromised.
Rumors that Chase had fallen victim to a serious breach have been circulating since August, when reports emerged that the FBI was investigating a major hacking attack against Chase and another, as-yet-unnamed bank.
At the time, the leading theory was that the attack was launched by organized cyber-criminals based in Russia, possibly with state sponsorship. The FBI has not released any information about its probe since then.
While Chase previously dismissed questions about the mishap, however, saying it experienced hacking attempts "nearly every day," it now appears this particular incident was even more serious than was first believed.
The source of the breach is thought to be a zero-day vulnerability in the affected banks' websites, which has since been patched.
Chase said it has not seen any evidence of "unusual customer fraud" related to the breach, adding that its customers would not be liable for any unauthorized transactions, so long as they report suspicious activity promptly.
The bank "continues to vigilantly monitor the situation and is continuing to investigate the matter," it said, which includes working with government agencies to track down the culprits. ®