A cyber break-in at JP Morgan Chase in June that was initially discovered in July was much more extensive than was previously thought, the bank disclosed yesterday, putting not only the bank’s but also the IT and financial world’s corporate communications departments into defensive mode.
The New York-based bank says the breach compromised the customer information of about 76 million households and 7 million small businesses, reports The Associated Press’ Alex Veiga.
“This is really a slap in the face of the American financial services system,” Gartner security analyst Avivah Litan tells Veiga. “Honestly, this is a crisis point.”
“The attack was under way for a month before it was discovered in July, and when it was disclosed in August, the bank estimated that about one million accounts had been compromised, writes Dominic Rushe in The Guardian.
In revealing the actual scope of the breach yesterday, the bank emphasized “there was no evidence that account numbers, passwords, user IDs, birth dates or Social Security numbers had been stolen,” Reuters’s Tanya Agrawal, David Henry and Jim Finkle report. “It added that it has not seen ‘unusual customer fraud’ related to the attack.”
“The details of the breach — disclosed in a securities filing on Thursday — emerge at a time when consumer confidence in the digital operations of corporate America has already been shaken. Target, Home Depot and a number of other retailers have sustained major data breaches,” write Jessica Silver-Greenberg, Matthew Goldstein and Nicole Perlroth in TheNew York Times. “Last year, the information of 40 million cardholders and 70 million others were compromised at Target, while an attack at Home Depot in September affected 56 million cards.”
JP Morgan stressed also that “customers wouldn’t be liable for any unauthorized transactions on the account if the bank is notified, and that customers don’t need to change their passwords or account information,” report Emily Glazer and Danny Yadron in TheWall Street Journal.
But savvy customers are worried about more than the security of their own nest eggs and personal data.
“With its wide scope of potential victims the latest incident is likely to renew concerns that hackers easily could wreak havoc with the nation’s financial infrastructure,” Glazer and Yadron write.
“If this is the worst news from the breach, it’s reassuring,” writesBloomberg Businesweek’s Dune Lawrence “On the other hand, the larger picture is indeed scary. If any institution in the U.S. is prepared for such an attack, it’s the JP Morgan. And yet.”
“The fact that JP Morgan Chase could be breached should send a shiver of fear through every organization on the planet,” Steve Hultquist, chief evangelist at RedSeal Networks, a cybersecurity company, tells Lawrence. “They are well aware of both the defenses necessary and the importance of protecting against concerted, automated attacks.”
Indeed TheNew York Times reports that not only is the breach at JP Morgan potentially more serious than those of previously disclosed hacks at retailers because of the more sensitive data that could be accessed, it also suggested that “lack of any apparent profit motive has generated speculation among the law enforcement officials and security experts that the hackers, which some thought to be from Southern Europe, may have been sponsored by elements of the Russian government.”
In early versions of its story, it also suggested that am additional attack may have taken place but a JP Morgan Chase spokesperson denied any knowledge of a second break-in and “the Times later corrected its coverage,” CNBC reports.
Tom Kellermann, chief cybersecurity officer at Trend Micro, tells BankInfoSecurity.com’s Tracy Kitten and Jeffrey Roman that “once attackers infiltrate a network, it's easy for them to get back in.”
And once they’re there, they’re probably not looking to take out a mere cash advance at John or Jane Doe’s expense.
“The real question that must be asked is, ‘Are these cybercriminals front-running JP Morgan's fundamental market positions?” Kellermann tells Kitten and Roman. “... The true assets of financial institutions is information that would provide macroeconomic indicators that are more sensitive than speculative bets, a la fundamental hedging strategies.”
But Carl Herberger, vice president of security solutions at online security firm Radware, tells the reporters “it's too early to speculate about who may have attacked Chase in June and difficult to sort through the allegations of new attack activity possibly connected to the breach.”