Understanding Chase data breach 2024: what happened and how to protect yourself after the incident

In February 2024, JPMorgan Chase & Co reported a data breach involving certain personal information of its customers. According to the official breach notice, a third party gained unauthorized access to customer data through a software glitch back in August 26, 2021. In total, the breach affected more than 451,000 individuals.

The Chase data breach, along with similar security incidents at  Amex, Bank of America, Truist and others, teaches us an important lesson that even the largest financial institutions are vulnerable, reinforcing the growing need for strong security practices across the banking industry.

In this article, we’ll look into the details of the Chase bank data breach, outline the initial steps you can take if you’ve been affected, and share long-term strategies to secure your personal information.

What happened in the Chase data breach?

Timeline of events

The Chase security breach began on August 26, 2021 and wasn’t detected until February 23, 2024, when the bank discovered a software issue that enabled access to retirement plan data that unauthorized users were not supposed to view.

The 2024 Chase data breach wasn’t the first security incident involving the bank. In 2014, the financial corporation experienced a cyberattack that led to a massive JP Morgan data breach that affected 76 million households and 7 million small businesses. The earlier cyberattack brought attention to the bank’s cybersecurity practices, caused significant damage to its reputation, and adds context to understanding threat incidents across the banking sector. 

Was the 2024 Chase security incident a bank hack or a data leak?

There was no direct Chase bank hack. The incident was a result of the software issue that allowed three system users to gain unauthorized access to retirement plan participant information. As the forensic investigation further revealed, these users were employed by J.P. Morgan customers or their agents. The access continued undetected for over two years and throughout this entire time, the users ran a limited number of reports to access private customer  information.

Because the exposure wasn’t the result of a targeted attack, it’s a data leak rather than a cyberattack. Still, even though the leak wasn’t malicious, it involved certain private information of Chase customers, making the impact just as serious.

Data exposed in the Chase data breach

The official notice of breach reports that the following data points were compromised:

• Names
• Addresses
• Social Security numbers
• Payment and deduction amounts
• Bank routing and account numbers (for customers who set up direct deposits)

How the leaked data could put you at risk

The exposure of sensitive information in the Chase data leak put affected individuals at risk of various threats, both immediate and long-term. These risks include:

• Identity theft
• Phishing attacks
• Financial fraud (e.g. drained accounts, fraudulent credit lines, false tax returns, etc.)
• Credit score damage
• Targeted impersonation scams

How many customers were affected

The Chase data breach affected a total of 451,809 individuals.

It’s important to note that the incident was limited to a specific group of ndividuals enrolled in employer-sponsored retirement plans. Regular customers, such as JPMorgan Chase checking and savings account holders or credit card users, were not affected as the software issue didn’t impact the broader banking infrastructure.

Chase’s public response after the incident

After detecting the Chase data leak, the bank took immediate steps to address it and update their software. Soon the company sent official notices of a breach to affected individuals, clarifying the incident details, providing safety recommendations, and offering a free subscription to Experian’s IdentityWorks. The service includes credit monitoring, surveillance alerts, identity theft resolution support, and identity theft insurance.

Additionally, Chase set up a dedicated call center for addressing customers’ concerns and questions–it’s available at 1-888-719-8932, Monday to Friday from 8:30 am to 5 pm EST.

Reactions to the Chase data breach: lawsuits and customer concerns

After the Chase security breach news spread, the bank faced a class action lawsuit for negligent cybersecurity measures and reckless handling of sensitive customer data. As of now, legal proceedings are ongoing. 

The public also responded on social media, with some affected customers voicing concerns about their compromised data. Reddit users reported receiving emails from the bank stating that their information had been found on the dark web. As one user wrote: “I got an email from Chase saying my info has been found on the Dark Web. So, what do I need to worry about? Can I get it off the Dark Web? Do I need to change every single User/Pass I’ve ever made?”

However, most users questioned the validity of such emails.

If your data was exposed: what to do next

If you learn that your data was compromised in the Chase data leak, here are several steps you can take right away to reduce the immediate risks.

Monitor credit card statements and credit report

Use the Chase app or chase.com to access paperless account statements and review them regularly for any suspicious activity. 

In addition, check your general credit report to ensure there are no unauthorized credit card requests, newly opened accounts or other activity under your name. You can get a copy of your report via AnnualCreditReport.com or request it directly from one of the three major credit reporting bureaus–Equifax, Experian, or TransUnion–either online or by post.

Enable account alerts

Enable real-time alerts for different account activities so that you can quickly detect any suspicious transactions and report them to your bank promptly. 

Via the Chase app:

1. Sign into your account.
2. Tap the person icon.
3. Click on “Manage alerts” and choose the types of notifications you want to receive.

Via the website:

1. Log into your account.
2. Tap the person icon.
3. Go to “Profile & settings”, then select “Alerts” to manage your notification preferences.

Set up two-factor authentication

Two-factor authentication (2FA) adds extra protection to your accounts by requesting additional forms of verification, for example, an SMS code, face ID, fingerprint, or another method. This can help you instantly learn about unauthorized login attempts and prevent account takeover.

For even greater security,  use an authenticator app that generates a one-time login key or QR code instead of SMS. Here’s how you can set it up:

• Go to your Chase mobile app.
• Select “Profile & Settings” in the upper right corner.
• Go to “Settings”, then “Security & Privacy”, and finally  “Ways you can be more secure,” to enable 2-step verification, and select the preferred authentication method.
• Choose an authenticator app (e.g. Google Authenticator, Microsoft Authenticator, etc.).
• Add your Chase account to the authenticator app of your choice to start generating login codes.

Freeze your credit, if necessary

If you’re concerned about identity theft or financial fraud and don’t plan to apply for credit in the near future, you may want to  consider freezing your credit report with the three major bureaus. This prevents lenders from accessing your credit file, making it much harder for anyone to open new credit lines or accounts in your name.

Here is how to place a security freeze with each bureau:

• Equifax: Online, at 888-298-0045, or via post. 
• Experian: Online, at 888-397-3742, or via post.
• TransUnion: Online, at 800-916-8800, or via post.

How to stay safe from future breaches

The following steps can help you prepare for potential security incidents and reduce their impact.

Use unique passwords for financial accounts

Create unique, strong passwords for your financial and email accounts, and change them frequently to prevent credential stuffing. Use these tips for maintaining good password hygiene:

• Make passwords 16+ characters long.
• Don’t include personally identifiable information, such as names, birthdays, and other private details.
• Combine uppercase and lowercase letters, numbers, and symbols.
• Never reuse the same password for multiple accounts.
• Use password managers to automatically create secure passwords and store them. Some apps to consider include 1Password, Bitwarden, NordPass, LastPass, and similar.

Be cautious when saving your credit card or personal information online

Avoid saving your credit card details or sensitive information on various websites and apps, especially those you don’t use frequently, as this can increase your risk of identity theft. Instead, make sure you only use secure and verified platforms and input your credit card information manually when needed.

If you saved this kind of information earlier, check the privacy or autofill settings in your browser and online accounts to see what’s stored, and remove unnecessary entries.

Stay private and protected with Onerep

Even if you take strong security measures, your personal information like your full name, address, phone number, or family details can still appear on data broker websites without your permission. These sites collect and publish personal information from public records, social media and other online sources, making it easy for scammers to use those details in phishing attacks, impersonation scams, or even identity theft.

Limiting your online exposure can significantly reduce your risk of being targeted by cybercriminals. That’s where Onerep can help. The platform continuously scans and removes your personal information from hundreds of data broker sites, helping you stay private and less vulnerable to digital threats over time. 

FAQs

Was Chase hacked in 2024?

No. The Chase data breach occurred from a software glitch rather than a direct cyberattack. However, the bank experienced a hacking attack earlier in 2014, which also affected many customers.

How do I know if my Chase information was leaked?

First, check if you received an official notice from the bank. Also, check your account and credit reports for any suspicious activity and use tools like HaveIBeenPwned to see if your data was found in breaches.

Is Chase doing anything to protect affected customers?

After detecting the issue, Chase applied a software update to remove unauthorized access. The bank also offered affected customers a complimentary membership of Experian’s IdentityWorks service.

Can I remove my personal information from the internet?

Yes. Most personal information shared publicly can appear on people-search and data broker sites. However, you can remove it because data brokers are legally obliged to delete your records upon an official request, after which your information also disappears from Google. Tools like Onerep automate this process and help you maintain long-term privacy.