My wife and I Refi’d our house with Chase in May. They provided exemplary service and their mortgage division customer retention program is nothing short of phenomenal.

But the company’s security reporting and escalation system was such an epic failure I am hard pressed even to call it abysmal. It was worse than that.

The Chase Refi process was perfect. We aggregated the necessary data gathered from a myriad of disparate sources, filled out the forms and signed a slew of affidavits. The communications with their Refi offices was impeccable, even as I was constantly traveling. Promises and dates were impeccably confirmed and kept. The closing rep came to our home on Monday, May 13th, and my only complaint was a sore carpal from endless signing. Thank you, Chase.

Fast forward to Sunday, May 19.

Now, I want to make one thing explicitly clear, their Epic Fail is in no way indicting, criticizing or faulting any of Chase’s information security efforts or practices. I have friends that work there, the company is not a client of mine and I have no vested business or financial interest in Chase. I am a mere solitary and happy customer; a mere ‘user’ of their services like tens of millions of others.

Yet, I am hyper-vigilant about security. Some of us call it awareness. I notice things, and when appropriate, I report things. Isn’t that what we try to inculcate into employees through awareness? What are the current mantras?

See Something, Say Something.”

 “If you see it, Report it!”

“Who Ya Gonna Call?”

That afternoon, I opened a snail mail from a Chase corresponding bank that I do business with. It contained all of the details on a new account that “I” had opened using a complete set of highly accurate personal details that were, to the best of my knowledge, non-aggregated until my Refi with Chase, in both electronic and physical forms. As you might guess, I had not opened any additional bank accounts.

Needless to say, I reacted swiftly, and immediately (1647h CST) I began contacting Chase to report what I thought might have happened. A possible data breach. At least an incident that concerned me, the “user”, enough to report it. The problems with their security incident reporting processes, however, were, sadly, instantly apparent.

I called no fewer than 7 different customer service numbers I found on statements, and through credit card and online references. Several of the customer service reps said, “we don’t do that, call this number…” and the extensions I was directed to were not open until Monday. Two reps actually claimed they were spouting security policy; potential breaches and incidents can only be reported between 8-5, EST, Monday through Friday. Coincidentally and lucky for us all, global cybercriminals restrict their activities to those same hours.

So what happened next?

Did I finally get someone to listen to me?

To take this potential data breach seriously?

Come back tomorrow for Part 2 of the Epic Fail Saga.

Winn Schwartau

President & Founder at SAC
Winn Schwartau is one of the world's top recognized experts on security, privacy, infowar, cyber-terrorism, and related topics. Winn is gifted at making highly technical security subjects understandable and entertaining & has authored more than 12 security books.