One of Gov. Bobby Jindal’s cabinet secretaries said Thursday that JPMorgan Chase waited months before alerting the administration about a computer hacking that impacts 13,500 Louisiana residents.
State Revenue Secretary Tim Barfield said he is reserving judgment but wants to know why there was a delay. He said JPMorgan Chase & Co. learned about the breach in September and phoned his office just this week.
“My question was ‘Why are you just telling us this now?’ and they indicated they’d been working on it with law enforcement,” Barfield said. “I don’t really have a clear answer on why they delayed.”
Bank officials alerted the Jindal administration about the security breach just before noon Wednesday. A followup call later in the afternoon revealed more details. The state Division of Administration issued a press release Wednesday night.
Across the country, more than 450,000 people with pre-loaded debit cards may have had personal information stolen by hackers who broke into the bank’s website, www.ucard.chase.com, last summer.
In Louisiana, the breach impacted thousands who logged onto the Internet between July and September 2013 to register pre-loaded debit cards for income tax refunds, child support or unemployment benefits.
Michael Fusco, a spokesman for JPMorgan Chase, said Thursday that the bank discovered the hacking in September and set about protecting cardholders’ data and accounts. The first call, he said, was to law enforcement.
“Once we fixed the issue, we began an extensive investigation to understand what happened (and) what, if any, information was exposed and who was potentially affected,” Fusco said.
Fusco said there is no evidence that cardholders’ information was used improperly. The bank believes the data taken was too small in magnitude to result in identity theft. Nevertheless, the bank plans to make free credit monitoring available to impacted cardholders for a year.
Louisiana contracted with JPMorgan Chase to issue the pre-loaded debit cards that cut down on the number of checks that needed to be written. The state revenue department, the state Department of Children and Family Services and the Louisiana Workforce Commission issued cards for various benefits.
The hackers impacted 6,000 who got their state income tax refunds, 5,400 who collected child support with the state’s help and 2,200 who got unemployment benefits — all through debit cards. At issue is what information about cardholders’ personal identities the hackers were able to capture from unscrambled bits of data.
The bank plans to notify cardholders by email if they fell victim to the hackers. The state also wants to reach out to victims of the security breach.
Barfield said the breach was characterized as sophisticated in today’s world of computer hacking. He said he is uncertain how much knowledge the bank immediately had about the extent of the breach once it was discovered in September.
Barfield said he did not want to start a panic but realized that cardholders needed to be notified. He said the bank did not readily accept the state releasing the news about the hacking.
“They would’ve preferred to hit the market first,” he said.
Even though thousands of cardholders were impacted, the victims represent just a fraction of Louisiana residents who received debit cards from the state. For example, less than one percent of taxpayers who received cards for refunds were affected.
“One is too many. We really wanted to understand the order of magnitude,” Barfield said.