Hartford, CT - Following a limited but still serious data breach by JP Morgan Chase and what Department of Revenue Services (DRS) Commissioner Kevin Sullivan calls “the bank’s wholly unacceptable failure to provide a timely response,” the agency announced today a series of steps to reassure state taxpayers. DRS is:
· Immediately suspending the debit card program and issuing paper checks for income tax refunds to several thousand taxpayers for the rest of the year.
· Offering taxpayers in 2014 the choice to receive refund by direct deposit, debit card or paper check – with the understanding that direct deposit assures the promptest refund and paper checks the least prompt.
· Offering taxpayers the choice of phone activation or on-line activation until the bank website breach is fully detailed and future security is assured.
· Re-opening the contract as soon as possible to seek new proposals and competitive bids from vendors interested in providing future debit card services to state taxpayers.
· Working with the Governor’s Counsel, Attorney General, State Treasurer, and other affected state agencies to demand a more complete accounting for the security breach as well as JP Morgan Chase’s lack of immediate notice to the state and very slow response in notifying debit cardholders.
· Determining all available remedies to recover added state costs and any cardholder damages resulting from the bank security breach.
DRS has already required JP Morgan Chase to notify the approximately 7,000 affected refund debit cardholders by email and mail, reissue cards, reverse cards and have paper checks issued if requested by cardholders, and offer two years of free credit security protection.
JP Morgan Chase is under contract with the State Treasurer on behalf of several state agencies to provide debit card and other banking services. The bank reports that suspicious activity on its UCard website server was first noticed in early September and the site was probably first hacked in July of this year. The intrusion was confirmed in mid-September but mitigation was not fully completed until more than a week later. JP Morgan Chase did not notify the state until December 3, and then took over a week to begin notifying cardholders.
Taxpayer information was put at risk for refund debit cardholders accessing the JP Morgan Chase website during the period from July to September. Potentially compromised taxpayer data includes social security numbers, passwords, password confirmation questions and, if transfers were made to other financial institutions, perhaps personal banking information.
Said Commissioner Sullivan, “Using debit cards for most refunds still makes sense and saves nearly $300,000 every year. We have every confidence, however, that the State Treasurer will not let JP Morgan Chase off the hook for the consequences of this breach. While only affecting about 2% of Connecticut income tax refund debit cardholders, that’s bad enough. But even worse is the bank’s disregard of its obligations to provide immediate notification to the state and prompt notification to the cardholders.
“The use of debit cards for many state purposes, including tax refunds, still makes business sense and costs less. However, at DRS, we owe it to the public to seek a new contract that assures security and far greater responsiveness.”