On November 7, 2025, Chase Affiliated Companies disclosed a data breach to the Texas Attorney General’s office, impacting 979 Texas residents. The exposed information included names and Social Security numbers (SSNs), both classified as personally identifiable information (PII). The breach significantly elevates the risk of identity theft for affected individuals, given the sensitivity of SSNs, which are prime targets for fraudulent activities such as loan applications, tax fraud, or unauthorized account openings.The company responded by issuing notifications via U.S. Mail to impacted individuals, detailing the compromised data and offering guidance on protective measures. However, no public information was provided regarding additional support, such as credit monitoring or identity theft protection services. The incident underscores the critical need for robust data security measures, particularly when handling high-value PII, as the exposure of such data can lead to long-term financial and reputational harm for victims.The breach’s scale—affecting nearly a thousand individuals—highlights systemic vulnerabilities in data protection, reinforcing concerns over how financial institutions safeguard sensitive customer information against evolving cyber threats.

Fried Frank Data Breach Exposes PII of 659 JPMorgan Clients A data breach at law firm Fried, Frank, Harris, Shriver & Jacobson LLP has compromised the personal information of 659 JPMorgan Chase clients, including investors and associated individuals. The incident stemmed from a compromised user account that allowed an unauthorized third party to access and copy files from a shared network drive. The breach was discovered on October 27, 2025, with JPMorgan Chase notified on December 9, 2025. Exposed data included names, account numbers, Social Security numbers, passport numbers, government IDs, and contact details. Affected individuals spanned multiple states, with 37 in Massachusetts, two in New Hampshire, and one in Maine. Regulatory disclosures were filed with the Maine Attorney General, Massachusetts Office of Consumer Affairs and Business Regulation, and New Hampshire Attorney General on January 12, 2026. In response, JPMorgan Chase and Fried Frank conducted a joint review to assess the breach’s scope and bolster security measures. While JPMorgan’s systems remained uncompromised, the firm is offering affected clients two years of free credit monitoring through Experian IdentityWorks, including daily credit monitoring, identity theft resolution, and $1 million in insurance coverage. The incident highlights vulnerabilities in third-party legal service providers handling sensitive financial data.

In May 2025, an unnamed financial institution in Asia was targeted by Fog ransomware hackers. The attackers utilized legitimate employee monitoring software Syteca (formerly Ekran) and several open-source pen-testing tools, including GC2, Adaptix, and Stowaway. This tactic, described as 'living off the land,' allowed the attackers to operate more stealthily, reducing the likelihood of detection. The use of legitimate software in the attack chain was deemed highly unusual and reflects a shift in the tactics employed by Fog hackers.

Cyber Threats in Finance: 2025’s Rising Risks and Evolving Attack Tactics In 2025, financially motivated cyberattacks dominated the financial sector, driving 90% of breaches targeting banks, insurers, and payment processors. Data breaches accounted for 64% of incidents, with ransomware making up the remaining 36%. The average cost of a breach in finance reached $5.56 million per incident, the second-highest across all industries. Personal data was the most frequently compromised asset (54% of cases), followed by internal organizational data (35%) and credentials (22%). Attackers leveraged stolen information for fraud, credential resale, and persistent network access. Initial access methods remained consistent, with hacking (45%), malware (37%), and social engineering (25%) as the primary vectors. AI Accelerates Attack Timelines and Fraud AI integration reshaped cyber threats in 2025, compressing the window between vulnerability disclosure and exploitation. Machine learning-powered scanning tools enabled faster reconnaissance, while adaptive malware evaded signature-based detection by dynamically altering behavior in response to security controls. Generative AI amplified social engineering, producing contextually accurate phishing emails, deepfake impersonations, and fraudulent invoices that bypassed traditional filters. Fraud-as-a-service offerings on underground markets further lowered the barrier to entry for less skilled attackers. Unmanaged AI adoption within organizations termed shadow AI contributed to 20% of AI-related breaches. Among affected institutions, 97% lacked adequate access controls for AI systems. Third-Party Risks Escalate Supply chain compromises played a role in 30% of financial sector breaches, a significant increase from prior years. Vulnerable file transfer solutions, managed service platforms, and APIs served as common entry points. A breach at a shared third-party provider exposed customer data at major U.S. banks, including JPMorgan Chase, Citigroup, and Morgan Stanley, prompting regulatory scrutiny. Cryptocurrency exchange Bybit suffered a $1.5 billion theft after attackers exploited weaknesses in third-party wallet infrastructure. Ransomware Shifts to Data Exfiltration Ransomware impacted 12.8% of B2B financial organizations, with attackers prioritizing data exfiltration over encryption. Variants like Akira, Datacarry, and BlackLock targeted European institutions, while U.S. attacks increasingly focused on stealing sensitive data to trigger regulatory disclosures and investigations even when systems remained operational. Hacktivists and State Actors Intensify Pressure Hacktivist groups, including NoName057(16) and DarkStorm Team, launched DDoS campaigns against banks, particularly during elections and periods of geopolitical tension. State-aligned advanced persistent threat (APT) actors continued targeting financial institutions for intelligence gathering, exploiting zero-day vulnerabilities and maintaining long-term access. Geopolitical instability sustained elevated levels of disruptive activity throughout the year.

Tenable Report Highlights Persistent Cloud Security Risks Despite Improvements A recent report by Tenable reveals both progress and ongoing vulnerabilities in cloud security, particularly around "toxic cloud trilogies"—publicly exposed, critically vulnerable, and highly privileged cloud instances. Between October 2024 and March 2025, the number of organizations with at least one such instance on AWS or Google Cloud Platform (GCP) dropped from 38% to 29%, while those with five or more declined from 27% to 13%. Despite these improvements, Tenable warns that such exposures remain a pressing concern. The report also uncovered widespread exposure of sensitive data in cloud configurations. Researchers found that 54% of AWS Elastic Container Service (ECS) task definitions and 52% of Google CloudRun environment variables contained confidential information. Additionally, over a quarter of AWS users stored sensitive data in user data fields, with 3.5% of AWS EC2 instances holding secrets—posing a significant risk if exploited. AWS hosted the highest proportion of sensitive data (16.7% of its buckets), compared to 6.5% for GCP and 3.2% for Microsoft Azure. While nearly 80% of AWS users have enabled critical identity-checking services, the findings underscore persistent misconfigurations and overconfidence in cloud security measures. The report, released at AWS re:Invent 2024 in Las Vegas, highlights the need for continued vigilance in securing cloud environments.

BlobPhish: A Stealthy, Memory-Resident Phishing Campaign Targeting Microsoft 365 and Financial Institutions Since October 2024, a sophisticated phishing campaign dubbed BlobPhish has been silently harvesting credentials from Microsoft 365 users and major U.S. financial platforms including Chase, Capital One, and PayPal by exploiting browser Blob URL APIs. Unlike traditional phishing attacks, BlobPhish generates malicious login pages entirely in the victim’s browser memory, leaving no disk artifacts, cache traces, or detectable HTTP requests for security tools to flag. The campaign, which surged in activity in February 2026, operates as a well-maintained threat rather than a short-lived attack. Its kill chain begins with phishing emails mimicking financial alerts, invoices, or document shares, often using trusted services like DocSend or shortened URLs (e.g., t.co). Some variants employ PDF attachments with QR codes, particularly targeting the energy sector. Upon clicking the link, victims are redirected to an attacker-controlled HTML page hosting a JavaScript loader. The loader decodes a bundled phishing payload, constructs a Blob object, and forces the browser to navigate to a blob:https:// URL all without user interaction. The phishing page, which impersonates platforms like Microsoft 365, OneDrive, or banking portals, appears legitimate due to the blob URL’s deceptive appearance. A failed-login counter ensures multiple credential entries, while stolen data is exfiltrated via HTTP POST to compromised WordPress sites (e.g., /res.php, /tele.php). BlobPhish’s evasion tactics render traditional defenses ineffective. Since the phishing page never transmits over the network as a standalone HTTP response, URL reputation engines, proxy logs, and secure email gateways fail to detect it. Endpoint solutions find no files on disk, and cache forensics yield no evidence, as the Blob URL is revoked immediately after use. Victims span finance, manufacturing, education, government, and telecommunications sectors, with roughly one-third based in the U.S. Additional activity has been observed in Germany, Poland, Spain, the UK, Australia, and several Middle Eastern and Asian countries. A successful compromise can lead to business email compromise (BEC), Microsoft 365 tenant takeovers, unauthorized wire transfers, or ransomware deployment. Regulatory risks include GDPR breach notifications, SEC cybersecurity disclosures, and FFIEC compliance violations. Key indicators of compromise (IOCs) include loader URLs like hxxps[://]mtl-logistics[.]com/blb/blob[.]html and exfiltration endpoints such as hxxps[://]wajah4dslot[.]com/wp-includes/certificates/tmp//res[.]php. Compromised domains also include larva888[.]com and riobeautybrazil[.]com.

The California Office of the Attorney General reported a data breach involving J.P. Morgan Chase Bank, N.A. on April 29, 2024. The breach occurred due to a software issue that allowed unauthorized access to plan participant information between August 26, 2021, and February 23, 2024, potentially affecting personal and financial information such as names, addresses, Social Security numbers, and bank account details.

The California Office of the Attorney General reported that JPMorgan Chase Bank, N.A. experienced a data breach on May 24, 2021, affecting customer account information. The report was made on August 13, 2021, and notification letters detailed that personal and financial information may have been accidentally seen by another customer, although no indication of misuse of information was reported.

On August 10, 2018, the California Office of the Attorney General reported that JPMorgan Chase Bank, N.A. experienced a data breach on June 28, 2018. An employee improperly downloaded customer information, including names, addresses, mortgage loan numbers, and Social Security numbers, to a personal computer and online data storage sites, potentially exposing this data to third parties for about three weeks.

The California Office of the Attorney General reported a data breach involving JPMorgan Chase Bank, N.A. on December 5, 2013. The specific date of the breach is unknown, but the incident was detected between mid-July and mid-September 2013, potentially compromising personal information such as names, addresses, Social Security numbers, and bank account details.