JPMorgan Chase is refusing to say how many individuals had their personal information stolen by hackers in the recent massive security breach. But that information is critical in understanding the potential consequences of the hack.
The bank, the nation's largest by assets, disclosed last week that 76 million households were affected by the breach, which took place over the summer.
JPMorgan spokeswoman Trish Wexler said the bank is not offering additional details beyond what it has already announced.
Since disclosing the hack in a regulatory filing last Thursday, JPMorgan has only noted that 76 million households were affected. That's a huge number, just shy of two-thirds of American households, making the breach the largest cyberattack against a bank in history.
Yet the company has not disclosed a separate, presumably even larger figure: the number of individual customers whose personal information was compromised.
JPMorgan has said that no account information was stolen by the hackers, but that they were able to access contact details like names, phone numbers and email and home addresses. Internal bank information, such as what types of accounts individuals held, was also stolen. The bank has argued that because contact information was stolen, as opposed to account details, the best way to measure the size of the hack is by households, not individuals.
It seems like an obvious point to note that if 76 million households were hacked, the number of affected individuals is likely even larger. There could be many people in a single household with JPMorgan Chase accounts.
It is, however, a point worth emphasizing. Having individual customer names and email addresses will allow hackers to run phishing scams targeted at individuals, not households. For JPMorgan to publicize only the number of households at risk, without disclosing the number of individuals, gives a distorted impression of the attack's true scope.
Chester Wisniewski, an adviser at the security firm Sophos, told The Huffington Post that the attack "puts Chase customers at high risk for phishing and social engineering" scams -- even if those kinds of scams weren't the hackers' original purpose.
If the hackers "aren't interested in the information," said Wisniewski, "they will sell it to someone who is."
The sheer scale of JPMorgan's consumer banking business, and the ubiquity of its online presence, underscore the severity of the breach. JPMorgan Chase is the largest credit card issuer in the U.S. by loan value, with 65.8 million open accounts. The bank also has 30.1 million checking accounts. It's the second largest mortgage originator in the U.S., and the country's third largest auto-lender not owned by a car manufacturer. And according to its annual report, Chase.com is the most visited financial services website in America.