JPMorgan, the largest U.S. bank with $3.4 trillion in assets, recently fixed a years-long software issue that allowed unauthorized access to 451,809 retirement plan records.
Three system administrators could access personal and financial information from retirement plan holders when they ran certain reports, though they were not entitled to that information.
The admins could see names, social security numbers, addresses, payment amounts, and routing and account numbers, per JPMorgan’s filing with the Office of the Maine Attorney General.
Related: A U.S. State Was Hacked in a Massive Data Breach—And Every Single Resident Is At Risk
All three administrators were employed by JPMorgan customers or their agents and had “an obligation” to keep user data safe as part of their jobs, per the filing.
JPMorgan became aware of the issue on February 26 after one of the admins with incorrect access self-reported it. It started in August 2021.
The bank stated that it “promptly” took measures to correct user access and additionally “tested and applied a software update.”
Between the time of the breach and the time of discovery, a more than two-year period, the administrators downloaded a relatively low number of affected reports — only twelve reports in total. They have since reported deleting the data.
Related: JPMorgan Says Its AI Cash Flow Software Cut Human Work By Almost 90%
JPMorgan sent written notice to affected customers on April 18 and offered them two years of identity protection support.
“There is no indication of data misuse,” a JPMorgan spokesperson said in a statement to Pensions & Investments.
JPMorgan isn’t the only big U.S. bank to report a recent data breach. A ransomware group may have obtained the account information of more than 50,000 Bank of America account holders in November, per a February notice from the bank.