U.S. states ask JPMorgan Chase for security data as they probe hack

(Reuters) — States probing last summer’s massive hack at JPMorgan Chase & Co. have asked for detailed data on the company’s security practices and want to know whether the bank is certain that no sensitive account data was stolen.

“Critical facts about the intrusion remain unclear, including details concerning the cause of the breach and the nature of any procedures adopted or contemplated to prevent further breaches,” more than a dozen states said in a letter sent to the bank last week. Reuters obtained a copy of the letter on Wednesday following a report in the New York Times.

The states announced the probe in October after JPMorgan said that about 83 million customer records had been stolen, including names, addresses and phone numbers. The bank had assured authorities that more sensitive information, such as account numbers, Social Security data and passwords, had not been compromised.

The states asked in a Jan. 8 letter to JPMorgan’s chief privacy officer, Zoe Strickland, whether the bank’s investigation to date had turned up any information that is “inconsistent with such statement.”

They also asked whether the bank knew of any fraud related to the attack and for other details, including descriptions of its security practices before the breach and steps it had taken to boost protections.

The letter, which was signed by officials from Connecticut and Illinois on behalf of more than a dozen states, also requested copies of any investigative reports and audits related to the breach. Illinois and Connecticut are leading the multistate probe of the attack.

A spokeswoman for JPMorgan Chase declined to comment on the letter.