JPMorgan Chase, the country’s biggest bank, said in a regulatory filing Thursday that 76 million households and 7 million small businesses were affected by a breach of its computer systems over the summer.
The breach, one of the largest on record, easily rivals the attack Target suffered during the holiday season, when hackers lifted personal information and credit card numbers from up to 110 million customers. Since then, a series of marquee brands, including Home Depot and Neiman Marcus, have been victims of hackers, leading to an industry-wide call for tougher security and federal laws.
In the case of JPMorgan, hackers obtained customer names, addresses, phone numbers and e-mail addresses as well as internal bank information “relating to such users,” according to the filing. But the bank claims “there is no evidence” that customers’ account information — including passwords, user IDs, birth dates or Social Security numbers — was compromised during the attack.
The bank’s disclosure comes nearly two months after the FBI said the bureau was investigating intrusions into JPMorgan computers. The hackers took gigabytes of sensitive data, the FBI said at the time. JPMorgan has not said who launched the attack, though Bloomberg News reported in August that it was the work of Russian hackers.
Hackers first accessed JPMorgan’s system sometime in June, making several additional attempts to collect more data until the bank caught wind of what was happening in August, according to people who spoke on the condition of anonymity because they were not authorized to speak publicly.
It is still unclear exactly how criminals were able to repeatedly gain access to JPMorgan’s computer systems. But people close to the matter said hackers may have compromised employee passwords, which have all been reset at this point.
Within minutes of making the Securities and Exchange Commission filing, JPMorgan posted a notice to customers on its Web site, attempting to allay fears. The notice stressed that customers’ money at the bank is safe.
“Unlike recent attacks on retailers, we have seen no unusual fraud activity related to this incident,” the statement says. “You are not liable for any unauthorized transactions on your account that you promptly alert us to.”