The Third Party Risk Perspective: JPMorgan Chase UCARD Data Breach

Earlier this month, tech security blogs and mainstream news outlets reported on a large data breach that affected banking giant JPMorgan Chase. During the event, which lasted from mid-July to mid-September, the personal information of customers who accessed online accounts of the bank’s UCARD product may have been exposed. While there seems to be no official word on the cause of the breach, the prevailing consensus from news sources is that unencrypted customer data was visible in plain text from logs that track user actions on the website. While the bank insists there is no evidence of illicit use of the compromised information, it is offering affected customers temporary credit monitoring.

What is the UCARD?

jp_morgan_chase_logo_icon_articlesJP Morgan Chase offers the UCARD to government and corporate clients as a prepaid card that can be issued for salary payments, unemployment benefits, tax refunds and more. Reuters reports that out of a total 25 million UCARD holders, only about 2% were potentially affected by the breach. While that may sound insignificant, it adds up to a whopping 465,000 end users.

Who was affected?

Sophos’ Naked Security blog notes that JPMorgan Chase has released virtually no public information regarding details of the breach. But even though the bank has been tight lipped, state agencies and regional news sources are beginning to give some insight into the extent of the breach. Some recent reports include:

  • The Pennsylvania Department of Treasury released a statement noting that 26,000 account holders in that state are affected by the breach and information such as card numbers, date of birth, user ID and email addresses could have been accessed.
  • The Providence Journal reported that 1,850 Rhode Islanders were affected by the breach, the majority of whom were using the service to collect unemployment, disability and child support.
  • Louisiana’s Commissioner of Administration Kristy Nichols informed state agencies of the breach and gave a breakdown of those affected: 6,000 tax refund cardholders, 5,300 people receiving child support and 2,200 unemployment beneficiaries.

So what does this all mean for third party security?

Public officials from affected states have been calling on JPMorgan Chase to provide details on the cause of the breach. Other states are pushing for more serious action. Connecticut’s Secretary of State Denise Nappier has forwarded the case to the state’s attorney general to determine whether the bank broke contractual obligations by failing to give immediate notification to state agencies. She is also pushing back on the bank by implying that this failure has given the state cause to consider selecting another vendor to manage the program.

This breach is reminiscent of past incidents where card holders were impacted when a payment card processor was compromised, reminding us that retailers and other organizations (including government offices) have a responsibility to protect the security and privacy of consumer information when outsourcing operations to a third party. While legal action in these cases may be justified, it is no substitute for a mature risk management program that not only accounts for internal security, but also analyzes third party information security risk. This case begs the question: what is your organization doing to monitor the security posture of partners and vendors with access to sensitive information?