New York City-based JPMorgan Chase Bank has admitted that a technical bug on its online banking website and app led to the accidental leak of customer data… to other customers.
Incidents of customer data breaches have been on the rise over the past year, alongside numerous instances of organized, targeted cyberattacks affecting organizations big, small, and in-between. Many incidents came about as bad actors, emboldened by the lack of data security on many platforms and targeting go-between service providers, orchestrated cyber intrusions that have ended up affecting thousands of businesses globally.
The Chase Bank incident however, which is believed to have been ongoing between May 24 and July 14 2021, illustrated an example of how a “technical issue” could lead to inadvertent exposure of customer data, despite the best intentions of all parties involved.
“We learned of a technical issue here that may have mistakenly allowed another customer with similar personal information to see your account information on chase.com or in the Chase Mobile app, or receive your account statements,” stated a Chase Data Exposure Notice seen by BleepingComputer.
While the statement did not make categorically clear exactly what are the circumstances that led to being exposed to another customer’s information, the notice did point out that Chase online banking and Chase Mobile app clientele that shared similar personal information were likely to be impacted.
The financial services giant, with annual revenue of US$120 billion and over 250,000 employees worldwide, said that no evidence of any misuse of leaked customer data had been found so far, and had begun contacting affected customers and offering them a year’s worth of free credit monitoring services.
“To help protect your identity, Chase is offering a complimentary membership of Experian’s® IdentityWorks®. This product helps detect possible misuse of your personal information and provides you with superior identity protection support focused on immediate identification and resolution of identity theft,” states the Experian IdentityWorks enrollment information that accompanies the notice, intended to offer identity theft resolution and theft insurance along with credit monitoring facilities.
IdentityWorks might help alleviate some financial hardship suffered as a result of stolen identities from the data leak, such as fraudulent phishing emails purporting to be from Chase Bank and targeting unwary customers.
Such services might help, but it is also standard industry practice when such a data breach incident occurs, highlighting a disturbing trend of limited preventive measures when an unintentional leak of customer data happens at a financial services institution. Chase’s notice did not make abjectly clear what happened to the information, nor how it was exposed beyond a “technical issue”, and was vague about the scope of affected customers – was it the data of credit card holders compromised, or business or personal banking customers, for instance?
“This does not sound entirely unlike the recent Klarna incident in Sweden, which incidentally occurred in the exact same timeframe, and impacted mobile app and website users. In that case it was an incorrectly configured cache solution. While it is a small world, the similarities are striking,” commented Martin Jartelius, chief security officer at cybersecurity specialists Outpost24.
Chase was one of 10 major financial institutions hit in a monumental data breach in 2014, with the data of over 83 million accounts believed to have been compromised in one of the biggest data breaches of financial customer information in history.
That mammoth incident was believed to have impacted 76 million households, with investigators looking into it months after the attack. Customer data breaches can mirror physical burglaries in the sense that when customer data is involved, it can months or even years to uncover if anything is missing.
“We hope the bank will be able to identify all cases of incorrectly accessed information and inform their users accordingly,” said Jartelius. “The bright side is that if the access were incidental and not user-controlled, the risk for abuse and misuse is decreased.”