An attack on the computer networks of banking giant JP Morgan Chase & Co. may have exposed sensitive information belonging to 465,000 prepaid cash-card holders, according to a Reuters report.

JP Morgan said the attack targeted Web servers handling its Ucard program in mid-September and that the company has since remedied the underlying flaws that led to the breach and contacted law enforcement. The bank admitted to Reuters that attackers pilfered “a small amount” of data, but that they believe no user Social Security numbers, dates of birth, or email addresses were taken.

Troublingly, the Reuters report indicates that the information potentially exposed was not encrypted at the time of the attack, though JP Morgan claims it generally does encrypt its customers’ personal information.

Company spokesperson Michael Fusco told Reuters that JP Morgan spent the months following the attack determining which customers may have been affected and which data may have been compromised. The company is contacting those customers. He reportedly declined to disclose any technical details of the attack.

The breach reportedly affected some two percent of JP Morgan’s 25 million UCard holders, according to Fusco. Corporations apparently buy UCards from JP Morgan and issue them as payments to their employees while government agencies use them to issue tax refunds and to pay unemployment and other benefits.

As is standard operating procedure at this point, the bank is offering three years of credit monitoring services to those affected.

Categories: Data Breaches