Earlier this year, JPMorgan Chase was the victim of a massive data breach, but the attack might have been avoided if the bank had installed a “simple” security fix, The New York Times reveals. Apparently, an unsecured server on the bank’s computer network was targeted by hackers, who then were able to steal personal data belonging to tens of millions of Americans.

FROM EARLIER: North Korea’s statement on the Sony hack is as hilariously insane as you’d expect

According to people familiar with the investigation, the financial institution might have been able to prevent the intrusion had it not been for a server that lacked a simple security feature most people are familiar with: Two-factor authentication.

After stealing credentials from a JPMorgan Chase employee, hackers were then able to access the bank’s computer network and gain high-level access to more than 90 bank servers. From there, hackers stole account information for 83 million households and businesses in the U.S.

The server used to infiltrate JPMorgan lacked the two-step authentication scheme, meaning that hackers did not have to obtain a second password in addition to the stolen login information to access the bank’s system.

Apparently, the simple vulnerability the hackers took advantage of surprised investigators, who initially believed a more complex hack was used to breach the system.

While not all details of this ongoing investigation have been revealed, it appears that a sophisticated zero day attack was not used in this data breach. The simple nature of the attack that ultimately defeated a security system costing JPMorgan some $250 million each year, also explains why other financial institutions that have two-factor authentication in place were not also hit.