When banks get hit by a data breach it’s big news because of what’s at stake — banks have more personal data on customers than retailers — and the assumption that the bigger the bank the bigger its IT security ought to be.

So the revelation that the names, addresses, phone numbers and email addresses of some 76 million household and seven million small business account owners were exposed by a hacker has surprised the industry,

As one expert told SC Magazine, that amount of data could amount to 64 gigabytes. Hackers don’t have big pipes, the expert said, so to transfer that amount of data would have taken quite a while.

Chase issued a statement saying there’s no evidence account numbers, passwords, user IDs, date of birth or Social Security number were compromised during the attack. Therefore it isn’t telling customers to change their passwords, credit or debit cards. But it is warning customers to watch for phishing attacks now that their contact information is known.

Affected customers used the following web or mobile services:, JPMorganOnline, Chase Mobile or JPMorgan Mobile.

“We have identified and closed the known access paths,” the bank statement said.  “We have no evidence that the attackers are still in our system.”

While the hunt is on for the perpetrators and exactly how they got into the Chase system, there’s no shortage of finger pointing. One official of a compliance testing firm complained to SC Magazine that software companies ship buggy products with little security. Another said threat intelligence feeds for malware detection are ineffective if the supplier’s feed hasn’t previously detected new malware.

Meanwhile, the New York Times reports that the same group that hit Chase also struck nine other financial institutions.

Expect to hear more from Chase.