News surfaced in August that hackers had gotten into customer data at JPMorgan Chase, but a regulatory filing today reveals that the hack was way bigger than originally thought: The nation's largest bank says the accounts of 76 million households and 7 million small businesses were compromised, reports Bloomberg. No money seems to have been stolen, but hackers got names, addresses, email addresses, and phone numbers, reports the Wall Street Journal. They didn't get more sensitive data such as Social Security numbers or account passwords. Anyone who did their banking online at Chase via computer or smartphone this summer was vulnerable. Hackers were able to get into the bank's servers for about an hour at a time over a two-month stretch before the bank stopped them.
So why didn't the hackers try to siphon away money? From the New York Times report: "The lack of any apparent profit motive has generated speculation among law enforcement officials and security experts that the hackers were sponsored by foreign governments either in Russia or in southern Europe." The cyberthieves, however, did get what the Times calls a "hacker's road map of sorts"—a list of every app and program that runs on the bank's computers. If any have known vulnerabilities, the hackers might be able to get back in before the bank gets everything secured. (In terms of sheer numbers of people affected, this hack is on par with those at Home Depot and Target.)