Corporate Misconduct Accountability Project
J.P. Morgan Chase & Co. · Class Action Lawsuit
J.P. Morgan Data Breach Exposes 451,000 Employees to Identity Theft
A software vulnerability left unpatched for nearly three years allowed unauthorized access to names, addresses, Social Security numbers, and financial data of employees at J.P. Morgan’s corporate clients. The bank waited months to notify victims.
CRITICAL SEVERITY
TL;DR
Between August 2021 and February 2024, a software flaw at J.P. Morgan Chase allowed three unauthorized users to access sensitive personal data of at least 451,000 employees whose companies used J.P. Morgan for retirement account administration. The compromised information included Social Security numbers, home addresses, payment amounts, and bank routing numbers. Despite discovering the breach in February 2024, J.P. Morgan waited until mid-April to notify victims, leaving employees exposed to identity theft with no warning for nearly two months.
If your employer uses J.P. Morgan for benefits administration, your personal data may have been exposed for years without your knowledge.
451,000
Employees whose data was compromised
2.5 years
Duration of undetected data exposure
3
Unauthorized users who accessed reports containing sensitive data
24 months
Identity monitoring offered (critics say insufficient)
The Allegations: A Breakdown
Core Allegations
What J.P. Morgan did · 8 points
| 01 | J.P. Morgan collected and stored personally identifiable information from employees of its corporate clients, including names, addresses, Social Security numbers, payment and deduction amounts, and bank routing numbers. The bank promised to protect this data with adequate security measures. | medium |
| 02 | A software flaw allowed three unauthorized system users employed by J.P. Morgan customers or their agents to run reports containing plan participant information they were not entitled to see. These users ran a limited number of reports between August 26, 2021 and February 23, 2024. | high |
| 03 | J.P. Morgan did not discover the breach until February 26, 2024, meaning the vulnerability existed undetected for approximately two and a half years. The bank failed to implement adequate monitoring systems to detect unauthorized data access in a timely manner. | critical |
| 04 | The bank waited until April 18, 2024 to begin sending breach notification letters to affected individuals, nearly two months after discovering the breach. This delay prevented victims from taking immediate protective action. | high |
| 05 | J.P. Morgan’s notification letters omitted critical details about the root cause of the breach, which vulnerabilities were exploited, and what specific remedial measures the bank implemented to prevent future breaches. | high |
| 06 | The bank maintained, used, and shared personally identifiable information in a manner vulnerable to cyberattacks. The mechanism of the cyberattack and potential for improper disclosure was a known risk to J.P. Morgan. | high |
| 07 | J.P. Morgan failed to encrypt the compromised data or implement other standard security measures that would have prevented unauthorized access. The personally identifiable information remained unencrypted and available for unauthorized parties to access. | critical |
| 08 | The bank stored personally identifiable information of former employees long after it was no longer required to retain such data pursuant to regulations, unnecessarily expanding the pool of at-risk individuals. | medium |
Regulatory Failures
How J.P. Morgan violated federal law · 6 points
| 01 | J.P. Morgan violated Section 5 of the Federal Trade Commission Act by failing to use reasonable measures to protect personally identifiable information. The FTC prohibits unfair practices in commerce, including the failure to employ reasonable data security measures. | high |
| 02 | The bank violated the Gramm-Leach-Bliley Act, which requires financial institutions to protect the security, confidentiality, and integrity of customer information through comprehensive written information security programs with reasonable administrative, technical, and physical safeguards. | high |
| 03 | J.P. Morgan failed to provide annual privacy notices to customers after the customer relationship ended, despite retaining their personally identifiable information and storing it on the bank’s network systems, violating GLBA Privacy Rule requirements. | medium |
| 04 | The bank failed to adequately inform customers that it was storing and sharing their personally identifiable information on an insecure platform accessible to unauthorized parties from the internet, and would continue to do so after the customer relationship ended. | high |
| 05 | J.P. Morgan violated the GLBA Safeguards Rule by failing to assess reasonably foreseeable risks to the security, confidentiality, and integrity of customer information. The bank did not implement adequate processes to detect breaches in a reasonably expeditious period. | high |
| 06 | The bank shared personally identifiable information with non-affiliated third parties without providing affected individuals an opt-out notice or a reasonable opportunity to opt out of such disclosure, violating GLBA requirements and its own policies. | medium |
Profit Over People
How cost-cutting enabled the breach · 6 points
| 01 | J.P. Morgan enriched itself by saving the costs it reasonably should have expended on data security measures to secure employees’ personal information. Instead of providing a reasonable level of security, the bank calculated to increase its own profit at the expense of employees. | high |
| 02 | The bank failed to implement basic security measures recommended by the Federal Bureau of Investigation and U.S. government agencies, including implementing awareness and training programs, enabling strong spam filters, scanning all incoming and outgoing emails to detect threats, and configuring firewalls to block access to known malicious IP addresses. | high |
| 03 | J.P. Morgan did not implement industry-standard security protocols recommended by the Microsoft Threat Protection Intelligence Team, including applying latest security updates, using threat and vulnerability management, performing regular audits, removing privileged credentials, and segmenting data to prevent widespread network compromise. | high |
| 04 | The bank failed to meet minimum standards of the NIST Cybersecurity Framework Version 1.1 and the Center for Internet Security’s Critical Security Controls, both established standards in reasonable cybersecurity readiness for financial institutions. | high |
| 05 | J.P. Morgan targeted for cyberattack due to its status as a financial institution that collects and maintains highly valuable personally identifiable information, yet failed to implement protections commensurate with this known risk. | medium |
| 06 | The bank was in a superior position to know the true facts related to defective data security but failed to disclose inadequacies to employees who had no ability to protect their own information once entrusted to J.P. Morgan. | high |
Economic Fallout
Financial harm to victims · 7 points
| 01 | Victims face out-of-pocket costs for purchasing credit monitoring services, credit freezes, credit reports, and other protective measures to deter and detect identity theft. The retail cost of credit and identity monitoring can cost around $200 per year per person. | medium |
| 02 | Employees whose personally identifiable information was compromised now face lost or diminished value of their personal data, which has inherent market value in both legitimate and dark markets. The data is now readily available and its rarity has been lost. | high |
| 03 | Class members suffered loss of benefit of the bargain. They received employment positions that were of lesser value than what they reasonably expected, as they understood they were accepting positions with necessary data security protections that J.P. Morgan failed to provide. | medium |
| 04 | Victims must spend significant time and opportunity costs attempting to mitigate actual consequences of the breach, including researching and verifying the legitimacy of the breach, monitoring financial accounts for unusual activity, and taking protective steps. This time has been lost forever and cannot be recaptured. | medium |
| 05 | Stolen personally identifiable information can sell for as much as $363 per record according to the Infosec Institute. Social Security numbers and personally identifiable information are worth more than 10 times the price of stolen credit card numbers on the black market. | high |
| 06 | The data brokering industry was worth roughly $200 billion in 2019. J.P. Morgan profited from retained data and used employees’ personally identifiable information for business purposes without adequately compensating them for the value their information provided. | medium |
| 07 | Armed with the personally identifiable information accessed in the breach, data thieves have already engaged in identity theft and fraud and can in the future commit crimes including opening new financial accounts, taking out loans, obtaining government benefits, filing fraudulent tax returns, obtaining driver’s licenses, and giving false information to police. | critical |
Worker Exploitation
How employees were put at risk · 6 points
| 01 | Employees had no ability to protect their personally identifiable information that was in J.P. Morgan’s possession. They were forced to entrust this data to the bank as a condition of employment at J.P. Morgan’s corporate clients or to receive certain employee benefits. | high |
| 02 | J.P. Morgan required employees to submit non-public personally identifiable information in the ordinary course of providing retirement account administration services, creating a special relationship and duty to protect this information. | medium |
| 03 | Employees were the foreseeable and probable victims of inadequate security practices. J.P. Morgan knew or should have known of the inherent risks in collecting and storing this information and the critical importance of providing adequate security. | high |
| 04 | Employees took reasonable steps to maintain confidentiality of their personally identifiable information and would not have entrusted it to J.P. Morgan absent promises to safeguard that information. They relied on the bank to keep information confidential and securely maintained. | medium |
| 05 | J.P. Morgan failed to undertake any efforts to contact the 451,000 employees whose data was accessed in the breach to inquire whether any suffered misuse of their data, whether the bank was interested in hearing about misuse, or to set up a mechanism for employees to report misuse. | high |
| 06 | The bank’s offer of 24 months of identity monitoring is wholly inadequate because victims of data breaches commonly face multiple years of ongoing identity theft and financial fraud, yet Social Security numbers can be exploited indefinitely since they never expire. | high |
Public Health and Safety
Long-term harm to victims · 7 points
| 01 | Victims now face years of constant surveillance of their financial and personal records, monitoring, and loss of rights. They are incurring and will continue to incur damages in addition to any fraudulent use of their personally identifiable information. | high |
| 02 | Employees have been exposed to heightened and imminent risk of fraud and identity theft. They must closely monitor financial accounts to guard against identity theft for the foreseeable future. | high |
| 03 | A stolen Social Security number is one of the leading causes of identity theft and can threaten financial health. Someone who has a victim’s Social Security number can use it to impersonate them, obtain credit and open bank accounts, apply for jobs, steal tax refunds, get medical treatment, and steal government benefits. | critical |
| 04 | It is not an easy task to change or cancel a stolen Social Security number. Individuals cannot obtain a new number without significant paperwork and evidence of actual misuse. Preventive action to defend against possibility of misuse is not permitted. | high |
| 05 | Even when obtaining a new Social Security number, credit bureaus and banks can link the new number very quickly to the old number, so all old bad information is quickly inherited into the new Social Security number, making it ineffective protection. | high |
| 06 | Law enforcement officials report that in some cases, stolen data may be held for up to a year or more before being used to commit identity theft. Once stolen data has been sold or posted on the web, fraudulent use may continue for years. | critical |
| 07 | Victims of identity theft face substantial costs and time to repair damage to their good name and credit record, according to the U.S. Government Accountability Office. The emotional toll includes anxiety and stress that has been compounded by J.P. Morgan’s failure to fully inform victims of critical details about the breach. | high |
Community Impact
Broader social consequences · 5 points
| 01 | The stolen personally identifiable information will likely end up for sale on the dark web, as that is the modus operandi of hackers who commit cyberattacks of this type. Cybercriminals can cross-reference stolen data with unregulated data available elsewhere to assemble complete dossiers on individuals. | high |
| 02 | Criminals can create comprehensive ‘Fullz’ packages by piecing together bits of compromised personally identifiable information. These packages, which include complete victim information, can be sold and then resold in perpetuity to crooked operators and other criminals. | high |
| 03 | Even ‘dead Fullz’ (credentials associated with invalid credit cards) can still be used for numerous purposes, including tax refund scams, ordering credit cards on behalf of victims, or opening mule accounts without the victim’s knowledge. | medium |
| 04 | The fraudulent activity resulting from the breach may not come to light for years. There is a time lag between when harm occurs versus when it is discovered, and between when personally identifiable information is stolen and when it is used. | high |
| 05 | Studies that attempt to measure harm resulting from data breaches cannot necessarily rule out all future harm, as stolen data may continue to be exploited indefinitely once it enters criminal networks. | medium |
Corporate Accountability Failures
How J.P. Morgan avoided responsibility · 6 points
| 01 | J.P. Morgan’s disclosure amounts to no real disclosure at all, as it fails to inform victims with any degree of specificity about critical facts. Without details about root causes, vulnerabilities exploited, and remedial measures, victims’ ability to mitigate harms is severely diminished. | high |
| 02 | Companies only send breach notification letters because data breach notification laws require them to do so. By sending a notice letter, J.P. Morgan admits it has a reasonable belief that employees’ information was accessed or acquired by unauthorized individuals. | medium |
| 03 | J.P. Morgan was fully aware of its obligation to protect personally identifiable information and the significant repercussions that would result from failure to do so. The bank’s conduct was particularly unreasonable given the nature and amount of information it obtained and stored. | high |
| 04 | The bank was or should have been fully aware of the unique type and significant volume of data on its network, amounting to more than 451,000 individuals’ detailed personal information, and the significant number who would be harmed by exposure of unencrypted data. | high |
| 05 | J.P. Morgan provides on its website that it uses ‘reasonable physical, electronic, and procedural safeguards that comply with legal and regulatory standards to protect and limit access to personal information,’ yet the breach demonstrates these safeguards were inadequate. | high |
| 06 | The bank disregarded the rights of employees by intentionally, willfully, recklessly, or negligently failing to take adequate and reasonable measures to ensure data systems were protected against unauthorized intrusions and failing to provide prompt and accurate notice of the breach. | critical |
The PR Machine
How J.P. Morgan controlled the narrative · 4 points
| 01 | J.P. Morgan’s breach notification characterizes the incident as a ‘software issue’ without explaining the underlying security failures that allowed the software flaw to persist undetected for nearly three years. | medium |
| 02 | The bank’s offer of two years of identity monitoring, while presented as a benefit to victims, is insufficient to address the long-term risks. Stolen Social Security numbers can remain valuable to criminals for many years beyond the coverage window. | high |
| 03 | J.P. Morgan waited nearly two months between discovering the breach in late February 2024 and sending notification letters in mid-April 2024, potentially enabling criminals to exploit stolen data undetected during this period. | high |
| 04 | The bank has disclosed little to no information about which vulnerabilities attackers leveraged or how the flaw was fixed, leaving employees in the dark about the true scale of risk and whether other data sets were also at risk. | high |
Wealth Disparity
Unequal burden of data theft · 4 points
| 01 | While data theft can happen to anyone, the burden of recovery disproportionately affects the less wealthy. Wealthy executives have access to top-tier legal counsel, accountants, and personal finance managers who can quickly mitigate fallout, while lower-level employees and retirees face complicated bureaucracies. | high |
| 02 | Lower-income households often have fewer resources to recover from fraud, including limited free time, no private attorney on retainer, and diminished financial safety nets. The time and money required for identity theft recovery creates an unequal burden. | high |
| 03 | Distrust in financial institutions disproportionately impacts marginalized communities who may already contend with systemic barriers to credit or wealth-building. When these communities lose trust in mainstream banking, they can be driven to predatory lenders or less secure alternatives. | medium |
| 04 | The personally identifiable information of individuals has inherent market value. J.P. Morgan acquired this information through inequitable record retention, failing to investigate or disclose inadequate data security practices while profiting from use of employee data. | high |
The Bottom Line
What this means for corporate accountability · 7 points
| 01 | The breach was a direct result of J.P. Morgan’s failure to implement adequate and reasonable cybersecurity procedures and protocols necessary to protect personally identifiable information from a foreseeable and preventable cyberattack. | critical |
| 02 | J.P. Morgan was targeted for cyberattack due to its status as a financial institution that collects and maintains highly valuable personally identifiable information, yet failed to take preventive steps despite knowing this elevated risk. | high |
| 03 | The injuries to employees were directly and proximately caused by J.P. Morgan’s failure to implement or maintain adequate data security measures. But for the bank’s wrongful and negligent breach of duties, personally identifiable information would not have been compromised. | critical |
| 04 | Data breaches have become widespread, with 7,333 organizations experiencing breaches in the third quarter of 2023 fiscal year alone, resulting in 66,658,764 individuals’ personal information being compromised. J.P. Morgan’s breach fits a broader pattern. | high |
| 05 | Cyberattacks have become so notorious that the FBI and U.S. Secret Service have issued warnings to potential targets. Financial institutions storing personally identifiable information are attractive to ransomware criminals because they often have lesser IT defenses and high incentive to regain access to data quickly. | medium |
| 06 | Prevention is the most effective defense against ransomware and it is critical to take precautions for protection, according to the Federal Bureau of Investigation. J.P. Morgan could have prevented the breach by properly encrypting or otherwise protecting equipment and computer files containing personally identifiable information. | high |
| 07 | Employees have a continuing interest in ensuring that their personally identifiable information, which remains backed up in J.P. Morgan’s possession, is protected and safeguarded from future breaches. They are entitled to injunctive relief requiring the bank to strengthen data security systems and monitoring procedures. | high |
Timeline of Events
August 2021
Software vulnerability begins allowing unauthorized system users to access sensitive employee data through reports they were not entitled to see.
August 2021 – February 2024
Three unauthorized users employed by J.P. Morgan customers or their agents run limited number of reports containing plan participant information including names, addresses, Social Security numbers, and bank account details.
February 26, 2024
J.P. Morgan discovers the software issue and data breach after nearly three years of undetected exposure.
February – April 2024
Victims remain unnotified for nearly two months while criminals potentially exploit stolen data.
April 18, 2024
J.P. Morgan begins sending breach notification letters to approximately 451,000 affected individuals, offering two years of identity monitoring.
May 3, 2024
Class action lawsuit filed in U.S. District Court for the Southern District of New York on behalf of Benjamin Valentine and all similarly situated victims.
Direct Quotes from the Legal Record
QUOTE 1
What data was stolen
allegations
“The reports included your name, address, Social Security number, payment and deduction amounts, as well as bank routing and account number if you set up direct deposit.”
💡 This combination of data elements provides everything needed for comprehensive identity theft and financial fraud.
QUOTE 2
Duration of undetected breach
allegations
“The system users ran a limited number of reports between August 26, 2021 and February 23, 2024.”
💡 J.P. Morgan’s monitoring systems failed to detect unauthorized data access for nearly three years.
QUOTE 3
Who accessed the data
allegations
“The three users were employed by J.P. Morgan customers or their agents.”
💡 The breach involved authorized system users who gained access to information they should not have been able to see, indicating access control failures.
QUOTE 4
Inadequate disclosure
pr_machine
“Omitted from the Notice Letter were the details of the root cause of the Data Breach, the vulnerabilities exploited, and the remedial measures undertaken to ensure such a breach does not occur again.”
💡 Without these critical details, victims cannot assess their true level of risk or whether J.P. Morgan has actually fixed the problem.
QUOTE 5
Failure to monitor
regulatory
“Defendant’s failure to implement or maintain adequate data security measures for the PII of Plaintiff and Class Members.”
💡 This speaks to systemic deficiencies rather than a single oversight.
QUOTE 6
Unencrypted data
regulatory
“The attacker accessed and acquired files Defendant shared with a third party containing unencrypted PII of Plaintiff and Class Members.”
💡 Basic encryption would have protected data even if unauthorized users gained access to the files.
QUOTE 7
Known risk ignored
accountability
“The mechanism of the cyberattack and potential for improper disclosure of Plaintiff’s and Class Members’ PII was a known risk to Defendant, and thus, Defendant was on notice that failing to take steps necessary to secure the PII from those risks left that property in a dangerous condition.”
💡 J.P. Morgan knew the risks but chose not to implement adequate protections.
QUOTE 8
Profit motive
profit
“Defendant enriched itself by saving the costs it reasonably should have expended on data security measures to secure Plaintiff’s and Class Members’ Personal Information. Instead of providing a reasonable level of security that would have prevented the hacking incident, Defendant instead calculated to increase its own profit at the expense of Plaintiff and Class Members by utilizing cheaper, ineffective security measures.”
💡 This alleges J.P. Morgan consciously chose profit over employee protection.
QUOTE 9
FTC violation
regulatory
“Defendant violated Section 5 of the FTC Act and GLBA by failing to use reasonable measures to protect PII and not complying with applicable industry standards.”
💡 The breach wasn’t just negligence but a violation of federal law designed to protect consumers.
QUOTE 10
Long-term harm
health
“Once PII is stolen—particularly Social Security numbers—fraudulent use of that information and damage to victims may continue for years.”
💡 Two years of credit monitoring does not address the indefinite risk created by stolen Social Security numbers.
QUOTE 11
No easy fix for victims
health
“An individual cannot obtain a new Social Security number without significant paperwork and evidence of actual misuse. In other words, preventive action to defend against the possibility of misuse of a Social Security number is not permitted; an individual must show evidence of actual, ongoing fraud activity to obtain a new number.”
💡 Victims cannot even take the most protective action unless they’ve already been victimized.
QUOTE 12
Dark web value
economic
“Compared to credit card information, personally identifiable information and Social Security numbers are worth more than 10x on the black market.”
💡 The stolen data is extremely valuable to criminals and will likely circulate indefinitely.
QUOTE 13
Industry standards ignored
regulatory
“Defendant failed to meet the minimum standards of any of the following frameworks: the NIST Cybersecurity Framework Version 1.1 and the Center for Internet Security’s Critical Security Controls (CIS CSC), which are all established standards in reasonable cybersecurity readiness.”
💡 J.P. Morgan didn’t just fall short of best practices but failed to meet even minimum industry standards.
QUOTE 14
Foreseeable breach
accountability
“A breach of security, unauthorized access, and resulting injury to Plaintiff and the Class was reasonably foreseeable, particularly in light of Defendant’s inadequate security practices.”
💡 This wasn’t an unpreventable act of nature but a predictable consequence of inadequate security.
QUOTE 15
Promise broken
accountability
“Defendant provides on its website that: ‘[w]e use reasonable physical, electronic, and procedural safeguards that comply with legal and regulatory standards to protect and limit access to personal information. This includes device safeguards and secured files and buildings.'”
💡 J.P. Morgan explicitly promised protections it allegedly failed to deliver.
Frequently Asked Questions
How many people were affected by the J.P. Morgan data breach?
At least 451,000 individuals had their personal information compromised. These were employees of companies that used J.P. Morgan for retirement account administration and other benefits services.
What specific information was stolen in the breach?
The compromised data included full names, home addresses, Social Security numbers, payment and deduction amounts, and bank routing and account numbers for those who set up direct deposit. This combination provides criminals with everything needed for identity theft and financial fraud.
How long did the data breach last before J.P. Morgan discovered it?
The software vulnerability allowed unauthorized access from August 26, 2021 until February 23, 2024, a period of approximately two and a half years. J.P. Morgan did not discover the breach until February 26, 2024.
How long did J.P. Morgan wait to notify affected individuals?
J.P. Morgan discovered the breach on February 26, 2024 but did not begin sending notification letters until April 18, 2024, nearly two months later. This delay prevented victims from taking immediate protective action.
Who was responsible for accessing the data without authorization?
Three system users employed by J.P. Morgan customers or their agents ran reports containing plan participant information they were not entitled to see. The lawsuit alleges J.P. Morgan failed to implement proper access controls to prevent this.
Is the two years of free credit monitoring enough?
No. The lawsuit argues that two years of monitoring is wholly inadequate because victims of data breaches commonly face multiple years of ongoing identity theft and fraud. Social Security numbers never expire, so the risk continues indefinitely.
Can victims get a new Social Security number?
It is extremely difficult. You cannot obtain a new Social Security number without significant paperwork and evidence of actual ongoing fraud. Preventive action is not permitted. Even when you do get a new number, credit bureaus and banks can quickly link it to your old number, inheriting all the problems.
What laws did J.P. Morgan allegedly violate?
The lawsuit alleges violations of Section 5 of the Federal Trade Commission Act and the Gramm-Leach-Bliley Act, both of which require financial institutions to implement reasonable security measures to protect customer information.
Why didn’t J.P. Morgan encrypt the data?
The lawsuit alleges J.P. Morgan failed to use reasonable security procedures appropriate to the nature of the sensitive information, including encrypting data or deleting it when no longer needed. The files shared with third parties contained unencrypted personally identifiable information.
What can I do if I was affected by this breach?
Monitor all your financial accounts closely for unauthorized activity. Consider placing a fraud alert or security freeze on your credit reports with all three major credit bureaus. Enroll in the identity monitoring J.P. Morgan offered, but plan to continue monitoring beyond the two-year window. Keep detailed records of any time spent or money spent addressing breach-related issues. You may be eligible to join the class action lawsuit.
has anyone ever noticed how the really green mint flavored chips always taste inferior?
Explore by category
02
Product Safety Violations
When companies sell dangerous goods, consumers pay the price.
View Cases →
06
Financial Fraud & Corruption
Lies, scams, and executive impunity that distort markets.
View Cases →
