After disclosing that an attack on its computer system compromised the accounts of more than half of all U.S. households, the nation's biggest bank is trying to put customers' worries at ease.
No money or Social Security numbers were stolen in the attack, and the bank hasn't seen "any unusual customer fraud," JPMorgan said Thursday in a regulatory filing.
But the information that was compromised -- client names, addresses, phone numbers and email addresses -- could still put customers at risk of identity theft, security experts say.
Hackers often use such information for so-called phishing attacks, in which fraudulent emails are sent to intended victims that appear to come from bank representatives. JPMorgan customers were targeted by such an attack as recently as August, when hackers sent bogus emails that prompted them to enter their account credentials and attempted to download malicious software onto their computers.
It's unclear whether that scam is related to the JPMorgan attack, which started in June and was detected in July. But security experts said the information stolen in the breach could be valuable to thieves who want to trick victims into handing over account information.
The accessed information could allow hackers to tailor their email attacks more precisely. The hackers got ahold of internal bank information about whether customers were clients of Chase's mortgage, credit card or auto loan divisions, Chase spokeswoman Kristin Lemkau.
"If hackers know that all of these email addresses belong to Chase customers, they can take advantage of that," said Chester Wisniewski, a researcher at the security firm Sophos.
Stolen email addresses, he said, "can and will lead to identity theft."
Lemkau said that email phishing attacks are "the biggest risk" for customers affected by the breach, which includes anyone who has used one of Chase's websites or mobile apps.
The bank's website urged customers to be cautious of any communications that ask for their personal information.
"Don't click on links or download attachments in emails from unknown senders or other suspicious email," the bank's website said. "We will never ask you to enter your personal information in an email or text message."
Lemkau said customers don't need new debit or credit cards and don't need to change their passwords, because that information was not compromised. The bank said it is continuing to investigate the breach, and that customers should watch their accounts, as customers will not be liable for fraudulent transactions if they alert the bank promptly.
The JPMorgan breach is just the latest in a string of cyberattacks against major corporations that have exposed the personal information of millions of people. Last month, Home Depot said about 56 million customer debit and credit cards were put at risk after hackers broke into the company's payment systems. A cyberattack against Target last year compromised the credit card information of 40 million customers.
But Wisniewski said the JPMorgan attack is still more troubling. That hackers could find a way into Wall Street's computer networks -- which are among the most secure networks in the American economy -- shows how sophisticated they have become, he said.
"The financial sector should be very concerned," Wisniewski said.