J.P. Morgan Data Breach Exposes 451,000 Plan Participants’ Information

More than 451,000 plan participants at J.P. Morgan Chase were impacted by a data breach in which their personal information was exposed, according to a regulatory filing that the company made to the Office of the Maine Attorney General on Monday. 

The participant information that was exposed included participants’ names, addresses, Social Security numbers, payment and deduction amounts, as well as bank routing and account numbers if the participants had set up direct deposit. 

The breach was not part of a cyberattack and there is no indication of data misuse, a J.P. Morgan spokesperson told PLANSPONSOR. A notice of the data breach that J.P. Morgan submitted to the Maine Attorney General revealed that on February 26, J.P. Morgan learned of a software issue that caused certain reports run by three authorized system users to include plan participant information that they were not entitled to see. 

The three users were employed by J.P. Morgan customers or their agents, according to the notice. 

The system users ran a limited number of reports between August 26, 2021, and February 23, 2024. 

Lynne Atchison, executive director of benefit payment services, wrote in the disclosure notice to the Maine AG that J.P. Morgan “promptly addressed the access and applied a software update” once they were aware of the issue.  

The bank is offering individuals affected by the breach two years of identity theft protection services through Experian’s IdentityWorks platform. J.P. Morgan is also making its call center available to address participant questions.  

“Safeguarding client information is a priority,” a spokesperson said. 

In 2023, a cyberattack on data transfer software firm MOVEit, which is owned by Progress Software Corp., ended up revealing the private data of nearly 95,000 people across more than 2,500 firms, according to anti-malware company Emsisoft. The breach included retirement plan participants exposed via services vendor Pension Benefit Information LLC; firms hit included Fidelity Investments, TIAA and the California Public Employees’ Retirement System, among others. 

Later in 2023, there was a separate breach of Infosys McCamish Systems LLC, a U.S. subsidiary of Infosys BPM Ltd., based in Bangalore, India, that shut down access for a number of nonqualified compensation benefit accounts held with firms including Ascensus’ Newport, T. Rowe Price and Vanguard. 

In both incidents, impacted firms responded by providing identity theft protection to customers affected by the breach as hackers can sometimes use or sell the data to try and defraud consumers.