Reuters reports that JPMorgan Chase recently began notifying 465,000 users of its UCARD prepaid cash cards (about 2 percent of the total user base of 25 million) that their personal information may have been accessed by hackers in July 2013 (h/t Sophos).
The breach was detected in the middle of September. According to bank spokesman Michael Fusco, JPMorgan has spent the time since then determining which accounts were affected and what information was accessed.
It's not clear how the hackers accessed the data.
The bank says no funds were stolen as a result of the breach, and no Social Security numbers, birthdates or e-mail addresses were accessed. Still, all those affected are being offered a year of free credit monitoring services.
As Sophos' Paul Ducklin reports, the data appears to have been stolen in the form of unencrypted temporary files. "Financial transactions need scrupulous auditing, and that means keeping an accurate record somewhere of what happened, and when," Ducklin writes. "But logging can be a security risk as well as a benefit -- you should be encrypting personally identifiable data both at rest (when it is written to disk) and on the move (as it flows across the network). If you're logging sensitive data, don't wait until it reaches its final destination before encrypting it."
Photo courtesy of Shutterstock.