Data Breach Notifications

Entity Information

  • Type of Organization: Financial Services
  • Entity Name: JPMorgan Chase Bank, N.A.
  • Street Address: 545 Washington Blvd., Floor 04
  • City: Jersey City
  • State, or Country if outside the US: NJ
  • Zip Code: 07310

Submitted By

  • Name: Theresa M. Henry
  • Title: Executive Director
  • Firm name (if different than entity):
  • Telephone Number: 201-595-8683
  • Email Address: data.privacy@jpmorgan.com
  • Relationship to entity whose information was compromised: Current Employee

Breach Information

  • Total number of persons affected (including residents): 451809
  • Total number of Maine residents affected: 1683
  • If the number of Maine residents exceeds 1,000, have the consumer reporting agencies been notified: Yes
  • Date(s) Breach Occured: 08/26/2021
  • Date Breach Discovered: 02/26/2024
  • Description of the Breach:
    • Other
    • If other, please specify: On February 26, 2024, we became aware of a software issue in a vendor-provided system that supports our Benefit Payment Services product. In certain conditions, the software could allow authorized system users to access retirement plan participants’ records that they were not entitled to see. We determined that the incorrect entitlements were limited to three authorized system users who as a part of their job regularly access this type of information and have an obligation to safekeep it. Two of the users are employees of employee benefit plan administrators hired by J.P. Morgan clients. The third user was an employee of a J.P. Morgan client. One of these users self-reported the issue to us. We promptly addressed the access issue and confirmed that the users’ access had been corrected. We have also tested and applied a software update. The users downloaded a total of twelve reports, from August 26, 2021, through February 23, 2024, that included participant names, social security numbers, mailing address, payment and deduction amounts, and where direct deposit is used, bank routing and account numbers. We confirmed that the users did not have the ability to make changes to participants’ records. The employers of all three individuals have reported deletion of the data from active drives and are monitoring backup files for any restoration where deletion from such backup files is not possible.
  • Information Acquired - Name or other personal identifier in combination with: Social Security Number

Notification and Protection Services

  • Type of Notification: Written
  • Date(s) of consumer notification: 04/18/2024
  • Copy of notice to affected Maine residents: J.P. Morgan Privacy Breach Template.pdf
  • Date of any previous (within 12 months) breach notifications:
  • Were identity theft protection services offered: Yes
  • If yes, please provide the duration, the provider of the service and a brief description of the service: 2 years – Experian - Experian’s® IdentityWorks® alerts of key changes and suspicious activity found on an individual's Experian®, Equifax® and TransUnion® credit reports and provides identity theft resolution and insurance.