JPMorgan ChaseJPMorgan Chase made a regulatory filing with the Securities and Exchange Commission Thursday which disclosed a major security breach that occurred over the summer. This breach, which was originally thought to affect only one million customers, has actually compromised the personal information of over 76 million household accounts — as well as 7 million small business accounts. Although it was discovered in July, the actual attack lasted from mid-June through mid-August, according to the New York Times. Anyone who uses one of JPMorgan Chase’s online banking websites is at risk.

What do I need to know about this JPMorgan Chase breach?

During this breach, hackers were able to get deep inside JPMorgan’s computer systems, accessing the accounts of more than 90 servers. Investigations by JPMorgan Chase as well as the FBI have led to the conclusion that no money was taken and no sensitive financial information was leaked. This is a relief, considering the amount of information kept by banks is far greater than what is at risk in the major data breaches we’ve seen at retailers like Home Depot and Target. JPMorgan Chase was also required to notify its regulators, including the Federal Reserve, on the extent of the breach.

One concern worth noting is evidence that the hackers recorded a list of the programs and web applications used by all standard JPMorgan Chase computers. Having this information enables them to test for vulnerabilities that will allow wider access into the bank’s system. Considering it will take a few months at the least for all of these programs and web applications to be switched out for new ones, this is troubling information for hackers to have.

What customer information was exposed?

During the hacker’s two-month access of JPMorgan Chase’s systems, they were able to access customers’ names, phone numbers, and email and physical addresses — as well as “internal information relating to customers.” The bank has not disclosed what that information might be. However, it has assured customers via a FAQ page that there is no evidence that user IDs, passwords, account numbers, social security numbers or birth dates were exposed.

What can I do to protect myself?

If you are an account holder with JPMorgan Chase, you are probably worried about your privacy and security. Even though your most sensitive information was not exposed, a good amount of personal information is at risk. There are several steps you can take to stay ahead of any criminals who might be looking to use your information for harm.

1. Be wary of strange phone calls and emails. Since telephone numbers and email addresses were exposed in this attack, there is a change you may receive phony calls and emails. Be alert and remember not to give out any personal information over email or the phone. If you receive a phone call from someone claiming to be from Chase, ask them as many questions as you can. Don’t answer any questions or demands they have — instead, hang up and call your local branch to verify that the call is legitimate. Chances are, it won’t be. Be sure to get the number from the website. Similarly, treat any emails from JPMorgan Chase with caution. If an email requests that you log into your account, don’t click on any links contained within. Instead, visit the website URL directly and log in from the secure website link.

2. Shred your mail. Any time your address is exposed, there’s a risk of thieves using it against you. It is important to shred all mail that you throw away, especially letters from financial institutions as well as pre-approved credit card offers. Thieves aren’t above going garbage diving, so you want to ensure there is nothing in your trash they can use. When looking for a shredder, be sure to purchase one that can cross-cut so mail can’t be reassembled.

3. Change your password. Now, while it is true that account log in information was not exposed during this attack, it’s always a good idea to change your passwords regularly. This is especially true for important accounts like your online banking. Changing your password often helps reduce the likelihood of your account being hacked. A good rule of thumb for changing your password is to do it every three months. You want to be sure to choose a strong password and not re-use old ones. Not sure how to create a strong password? Check out our blog on password creation.

4. Consider identity theft protection. Having this service on your side can help give you peace of mind, as well as keep you up-to-date on what’s going on with your identity. Top-rated identity theft protection services monitor your personal information, including what was exposed in this breach, on the black market to ensure it isn’t being used, traded or sold. Many also monitor your credit reports and provide regular reports and scores so you are aware of your credit activity. If your identity should be compromised, they will help you with the restoration process.

You can learn more about identity theft protection services and how to stay safe online and off by visiting our identity theft blog.