As if not having a job weren’t stress enough for about 8,500 Michigan unemployment insurance recipients, now they have another worry: whether their Social Security and bank account numbers, passwords, phone numbers and other identifying information have fallen into the wrong hands.
State officials on Thursday confirmed a security breach had occurred, the Detroit Free Press reports. It was detected Sept. 17 by contractor JP Morgan Chase, and state officials say they’re not happy they weren’t notified until Dec. 3, the newspaper said, citing a news release from the Department of Licensing and Regulatory Affairs.
The bank reportedly didn’t notify the state sooner because it didn’t want to compromise its own internal investigation. The bank began monitoring potentially affected accounts immediately, but “needed to get a very good solid understanding of who was affected and what if any information was exposed” before contacting the state and other customers, said Mike Fusco, a spokesman for JP Morgan Chase in New York City.
State unemployment officials said they waited more than a week after learning of the security breach while officials identified customers who were potentially affected and negotiated the time that Chase will provide free credit monitoring services through ITAC Sentinel Plus.
Chase handles the debit cards Michigan uses to pay unemployment benefits to some recipients. Unemployment recipients who accessed the bank’s web site from mid-July to mid-September may have been affected. The 8,500 potentially affected Michigan residents are among 465,000 cardholders nationwide whose personal identifying information may have been exposed.
Shaun Thomas, director of the Unemployment Insurance Agency, said he is “deeply concerned” about the incident. Officials are working closely with JP Morgan Chase to ensure the state is immediately notified if future breaches occur.
All potentially affected unemployment recipients in Michigan will be notified by the end of day Saturday if their personal information was exposed.The bank found no evidence the hacker improperly used any of the exposed information, Fusco said.