Share story

JPMorgan Chase, the biggest U.S. bank, on Thursday described the size of its previously disclosed data breach, ranking it among the year’s largest-known cyberattacks.

Here’s what customers need to know:

Q. How big was the breach?

A. JPMorgan estimated that data on 76 million households and 7 million small businesses were compromised, without identifying locations. For perspective, the U.S. had about 115 million households total as of 2012. The breach affected people who visited the firm’s websites, including, or used its mobile app, said a person briefed on the matter.

Q. What information was taken?

A. User-contact information including names, phone numbers, addresses and email addresses. Internal data identifying customers by category — such as whether they’re clients of the mortgage, auto, credit-card or private-bank divisions — also were exposed, the person said.

Q. What wasn’t taken?

A. JPMorgan said there’s no evidence hackers stole account numbers, passwords, user IDs, dates of birth or Social Security numbers.

Q. Are hackers draining accounts, and is my money safe?

A. JPMorgan said it hasn’t seen any unusual fraud linked to the breach. Customers aren’t liable for unauthorized transactions if the bank is promptly alerted, the company said.

Q. What should I do to protect myself?

A. Because account IDs and passwords weren’t compromised, JPMorgan said it isn’t necessary to obtain new credit or debit cards, change passwords or obtain identity or credit monitoring as a result of the incident. The firm said customers should alert it immediately if they spot suspicious transactions.

Q. What can hackers do with contact information?

A. Phishing scams are typically the biggest risk, according to JPMorgan. That’s when criminals contact people and try to trick them into handing over account details or other sensitive information. The bank warned customers not to click links or download attachments on emails from unknown senders.