All told, 76 million households and 7 million small businesses were affected, the bank wrote in a 8-K filing Thursday to the U.S. Securities and Exchange Commission.
In addition to customer information, the attack also “compromised internal Chase data used in connection with providing or offering services, such as the Chase line of business the user is affiliated with,” according to an FAQ for customers on its website.
Bank account numbers, passwords, user IDs, birth dates as well as credit, debit and Social Security numbers are not believed to have been compromised, it wrote.
“Since we have seen no evidence of unusual fraud activity, we don’t think customers need to go through the inconvenience of having their cards reissued,” the notice said.
The bank didn’t provide many other details about the attack, but said its customers who used its online or mobile services on Chase.com, JPMorganOnline, Chase Mobile or JPMorgan Mobile were affected.
A JPMorgan Chase spokeswoman said via email Thursday that the bank experienced only one attack, which lasted from June through August.
The regulatory filing contained the most information JPMorgan Chase has released to date on the scope of the attacks, which surfaced in media reports in late August.
At that time, JPMorgan Chase declined to confirm the attacks, saying that companies of its size experience cyberattacks nearly every day.
The U.S. Federal Bureau of Investigation said around the same time that it was working with the Secret Service to determine the scope of the attacks, which were rumored to affect other U.S. financial institutions.
Because no financial data was compromised, JPMorgan Chase said it is not “necessary” for customers to subscribe to a credit or identity theft monitoring service. Many companies that have experienced a data breach offer those services for free, usually for a year.
It warned that phishing attacks—which seek to trick users into visiting malicious websites or clicking risky links—are the biggest risk after contact information has been compromised.
“Don’t click on links or download attachments in emails from unknown senders or other suspicious email,” the bank advised. “We will never ask you to enter your personal information in an email or text message.”
The bank said its probe is continuing and it is working with government agencies that are also investigating.
“Attacks like these are frustrating,” it said in another statement on its website. “There are always lessons to be learned, and we will learn from this one and use that knowledge to make our defenses even stronger.”