JPMorgan Chase’s network was hacked and personal information for more than 14,000 Connecticut residents who have prepaid debit cards from state agencies, including state tax refunds, could have been compromised, according to the state treasurer’s office.



JPMorgan Chase said as many as 465,000 accounts across the country might be exposed, including 14,335 accounts in Connecticut.

People possibly affected are those who received prepaid debit cards from the State’s Department of Revenue Services, Department of Labor, Department of Social Services, and Department of Children and Families in place of checks for tax refunds, unemployment benefits or child support payments, according to a statement from state treasurer Denise Nappier’s office.



Around 7,000 of the people in affected are those who received their income tax refund on prepaid debit cards, according to the State Department of Revenue Services Commissioner Kevin Sullivan.

This is about 2 percent out of the 360,000 total cards issued.

The JPMorgan Chase servers affected support the UCard website and personal information might have been exposed between mid-July and mid-September,

particularly when activating cards and transferring balances.



Information that could have been exposed includes your name, social security number, bank account number, card number, date of birth, security answers, password, address, phone number and e-mail addresses.



“First and foremost, I want to assure all citizens who have these cards that my Office considers this incident a serious breakdown in security, and holds JPMorgan Chase accountable,” Nappier said in a statement. “We expect JPMorgan Chase to take immediate steps to notify affected account holders, to offer credit protection services to those impacted, and to properly safeguard all private personal information of citizens who receive payments from the State via JPMorgan Chase debit cards. Our constituents deserve nothing less.”



JPMorgan Chase said it has found no evidence of improper activity on the accounts, but the state has directed it to notify all affected cardholders that it will provide them two years of credit monitoring free of charge as a precaution.



Nappier said her office was not notified of the breach until two and a half months after it happened.



“They should have picked up the phone immediately and called us. That the company failed to communicate this security breach in a timely manner raises concerns over its culture of compliance and broader governance issues,” Nappier said.



Commissioner Sullivan is working with the state treasurer’s office to evaluate JPMorgan’s future as a vendor, remedies the state has under the contract and the future security of income tax refund debit cards.



State officials have also requested more information about how the breach happened and what steps to take to minimize future risk.