DRS: JP Morgan Chase Breach Information

Information on JP Morgan Chase Breach
The Department of Revenue Services was notified on Tuesday, December 3, 2013 that J.P. Morgan Chase (Chase), the administrator of our refund debit cards, had a website data security breach.  We were informed that 6,959 Connecticut taxpayers who received refund debit cards may have had information from Chase’s www.ucard.chase.com website compromised.  Questions concerning this breach can be directed to a special Chase call center by dialing 866-849-5255.

JP Morgan Chase Bank is notifying customers regarding incorrect Debit Cards that were sent out.  Please follow the instructions in the email from Chase Bank.  Destroy the incorrect card pictured below and activate the new card when received.

Incorrect CardDestroy When Received

{Image of Incorrect Debit Card sent by Chase}

New Card – Activate When Received

{Correct Debit Card Image}


 Question & Answers
Q. Who are the affected taxpayers?
A. Anyone who visited Chase’s “UCard” website between July 2013 and September 2013, to either activate their debit card or to electronically transfer the balance from the debit card to their bank account.  Out of some 360,000 state taxpayers receiving income tax refund debit cards, 6,959 may have been affected.

Q. What if I activated my debit card by phone and did not set up a UCard account?
A. You are not affected.

Q. What if I have not activated my debit card yet?
A. You are not affected.

Q. How will I know if I am one of the affected taxpayers?
A. Chase is notifying all affected taxpayers by letter and email.

Q. Do I need to pay for credit security protection?
A. No.  Chase is required to offer you free credit security for 2 years when you are notified.

Q. What type of information is involved in this unauthorized access?

The following list includes items that may have been accessed:

  • Name;

  • Social Security Number;

  • Debit Card Number; 

  • Answers to the security questions;

  • Password;

  • Address;

  • Phone number;

  • E-mail address;

  • Account information at other banks where you may have used the debit card

Q. If I am affected, what can I do with my card?
A. If you had a balance left on the card, Chase has been directed to replace it and provide telephone rather than on-line reactivation.  You can also immediately stop using the card and go on line at Chase to get a new one free of charge.

Q. Is there anything else I should do?

You should consider:

  • Informing your banking institution of this breach if you transferred your debit card balance using the UCard website between July 2013 through the end of September 2013.

  • Changing passwords you use to access other websites or accounts if you have used the same password.

  • Changing security questions you have used for other websites or accounts if you have used the same security questions.

Q. Why does the DRS issue refunds by debit card?
A. Most taxpayers now choose direct deposit for faster refunds but issuing debit cards was implemented to cut state expenses compared to the cost of paper checks for refunds under $5,000.

Q. How did JP Morgan Chase get selected to administer the DRS refund debit cards?
A. JP Morgan Chase was selected on the basis of an open, competitive bid process conducted by the State Treasurer's Office.

Q. Does this only involve Connecticut?
A. Tax departments and other agencies in other states were affected by this breach.

Q. What else will DRS be doing about this?
A. We are working with the State Treasurer and other state agencies to assure Chase does everything possible to protect affected taxpayers.  Then Chase’s liability for this breach will be evaluated as well as the future security of our income tax refund debit cards.

What if I have any problems when signing up for Credit Security Protection?
Please call CHASE at (866) 849-5255 and a service representative will provide assistance.