For more stories like this, sign up for the PLANADVISERdash daily newsletter.
Breach at J.P. Morgan Exposes Data of 451,000 Plan Participants
Participant names, addresses, Social Security numbers and bank information were exposed in an incident the bank became aware of in February.
J.P. Morgan Chase has been hit with a data breach exposing the personal information of more than 451,000 retirement plan participants, according to a Monday regulatory filing to the Office of the Maine Attorney General.
The participant information that was exposed included participants’ names, addresses, Social Security numbers, payment and deduction amounts, as well as bank routing and account numbers if the participants had set up direct deposit.
The breach was not part of a cyberattack and there is no indication of data misuse, according to a J.P. Morgan spokesperson. A notice of the data breach that J.P. Morgan submitted to the Maine Attorney General revealed that on February 26, the firm learned of a software issue that caused certain reports run by three authorized system users to include plan participant information that they were not entitled to see.
The three users were employed by J.P. Morgan customers or their agents, according to the notice.
The system users ran a limited number of reports between August 26, 2021, and February 23, 2024.
Lynne Atchison, executive director of benefit payment services, wrote in the disclosure notice to the Maine AG that J.P. Morgan “promptly addressed the access and applied a software update” once they were aware of the issue.
The bank is offering individuals affected by the breach two years of identity theft protection services through Experian’s IdentityWorks platform and also making its call center available to address participant questions.
“Safeguarding client information is a priority,” a spokesperson said.
In 2023, a cyberattack on , which is owned by Progress Software Corp., ended up revealing the private data of nearly according to anti-malware company Emsisoft. The breach included retirement plan participants exposed via services vendor Pension Benefit Information LLC; firms hit included Fidelity Investments, TIAA and the California Public Employees’ Retirement System, among others.
Later in 2023, there was a separate breach of Infosys McCamish Systems LLC, a U.S. subsidiary of Infosys BPM Ltd., based in Bangalore, India, that shut down access for a number of nonqualified compensation benefit accounts held with firms including Ascensus’ Newport, T. Rowe Price and Vanguard.
In both incidents, impacted firms responded by providing identity theft protection to customers affected by the breach as hackers can sometimes use or sell the data to try and defraud consumers.