PhotoAdd JP Morgan Chase and “at least four other [still-unidentified] banks” to the ever-growing list of businesses and financial institutions whose customers are now at high risk of fraud and identity theft, since hackers broke into their database and stole the confidential information therein.

Bloomberg BusinessWeek first broke the news of this latest hacking. So far, all that customers can know for sure is “JP Morgan Chase and some other banks were hacked some time ago, possibly by Russians” – and we only know that much thanks to the anonymous sources who tipped off the Bloomberg reporters.

A lot of company database breaches come to public notice that way. When you first discover such a hacking has put your credit card or other personal financial information at risk, chances are you didn't learn this because the company contacted you about the security breach; you only know because you read about it yourself, here or on some other news site or security blog, which in turn only learned about it thanks to an anonymous tipster.

Notorious example

Perhaps the most notorious recent example of this is the massive security breach at credit-reporting data broker Experian, which made the records of up to five out of six American adults available to a Vietnamese identity thief.

Chase Bank Aug. 29, 2014, 7:10 p.m.
Consumers rate Chase Bank
Security blogger Brian Krebs first discovered (and announced) the Experian breach in October 2013. The following April, after various state attorneys general opened a multi-state investigation into the Experian case, Experian released a set of talking points to discuss what it called “an unfortunate and isolated issue – one that we take very seriously and continue to address,” which inspired Krebs to publish a point-by-point rebuttal of Experian's misleading claims — once again, the best information customers could find about the Experian problem came not from Experian but from an outside security expert chatting with anonymous sources.

Another thing many company database breaches have in common is this: a disturbingly long time passes between “the moment the company first discovers its customers are at risk” and “the moment the customers themselves learn of this, and can take steps to protect themselves.”

In May 2014, when we first told you that PayPal and eBay had been hacked, we also told you this: “The break-in was detected about two weeks ago, the company said.”

When we told you about the AT&T hacking in June 2014, this was the article's subtitle: “Hacked two months ago, discovered one month ago, now announced.”

Or the August 2014 database breach at SuperValu grocery and liquor stores: “Breach discovered four weeks ago, announced yesterday.”

Why wait?

Why do businesses and financial institutions sit on such information for so long, knowing their customers are at risk yet not bothering to inform them? The Washington Post's technology-and-policy blog, writing about the JP Morgan Chase breach this week, asked the same thing, and noted:

This reticence is both deeply rooted within corporate America and, to some consumer advocates, deeply infuriating. Had a family's precious jewelry been stolen from a safe deposit box, any bank would have quickly notified the affected customer. Yet loss of personal information, especially when it happens on a mass scale, is treated differently, both by the law and by industry custom.

There are plenty of laws and regulations regarding what businesses or financial institutions are supposed to tell you after they let your confidential information fall into a hacker's hands, so very many laws that in some cases it might genuinely be difficult for the companies to comply with them all: various states have their own customer-disclosure laws, any of which can be overruled by federal laws specific to banks and financial institution, which are distinct from the state or federal laws specific to publicly traded companies … and, since hacking and identity theft are criminal matters, there's always the possibility that state or federal law-enforcement authorities might want to keep the hacking out of the news for awhile, to help with their own investigations.

None of which helps you, the ordinary person who has no idea your account passwords and Social Security numbers might be in some identity thief's hands right now. And, of course, if you do find out your information got lost in the latest hacking du jour, you might have to spend hours or days straightening out the mess – and you won't be compensated for your time, either.

Share your Comments