December 6, 2013
For Immediate Release: December 6, 2013 Contact: Julie Rabinowitz, 621-5009
State systems not affected
AUGUSTA—The Maine Department of Labor has been informed by JPMorgan Chase & Co., the contractor that manages the debit card system for unemployment benefit payments, that the bank detected a data breach and is informing the affected 1,308 claimants via email on Dec. 9, 2013. People concerned about whether their account was affected should call JP Morgan Chase’s customer service number, 1-866-315-1011.
“We will hold JP Morgan Chase responsible to ensure the security of our citizens’ rights and personal privacy,” said Governor Paul R. LePage. “We are greatly concerned about this lapse and want Mainers to know that we take seriously the need to keep data safe.”
“The Department of Labor is looking into the situation surrounding the breach and why we were not informed sooner of this event,” said Commissioner of Labor Jeanne Paquette. “Unfortunately, the department does not have access to individual debit card account data and cannot answer questions related to the status of individual accounts,” she noted. “Current and former claimants who have used the debit card system should call JP Morgan Chase to find out if they were affected by the security lapse.”
The bank advised the department late on Dec. 4 that the web servers used by its site, http://www.ucard.chase.com had been breached in the middle of September. It then fixed the issue and reported it to law enforcement. Since notification, the department has been working with the bank to learn what steps they were taking to inform claimants, when that would occur, and why the breach occurred and how security will be improved going forward.
No State of Maine information systems or other unemployment system data were breached in this event. This did not affect other debit card programs operated by the State of Maine. Several other states’ unemployment and other debit card programs that have JP Morgan as a contractor were affected.
The information that may have been exposed during the security lapse could include a claimant’s card number, date of birth, user ID, password and email address. The claimant’s PIN number could not be viewed.
JP Morgan Chase is sending an email to the affected claimants with an apology and an offer of free credit monitoring for one year. The bank told the department that it has found no evidence that any individual’s information was used improperly, and they will continue to monitor the accounts. They also are asking cardholders to watch their accounts and to call the customer service number on the back of the debit card if they see purchases they do not recognize.
Unemployment benefit payments are made in one of two formats, either via direct deposit to a checking or savings account or to a prepaid debit card that can be used at ATMs, financial institutions and anywhere that the Visa logo is displayed but transaction fees apply. The debit cards may be active for up to three years, even if the person is no longer unemployed.