The news that JPMorgan Chase & Co, which is the largest of the US banks with a reach that extends to half of all American households, has been breached will surprise nobody. At least not in the sense that this is old news, with a disclosure of the event happening in August. The actual breach was discovered by the bank back in July, and is thought to have been active for at least a month prior to that. What is surprising, however, is that a financial organisation of such a size and reputation should fall victim to such a breach in the first place. One highly placed individual in the IT security business told me over a pint that "if it can happen to JP Morgan then, frankly, it can happen to anyone" and that wasn't just the drink talking. Also surprising was the claim that a million accounts had been compromised during the breach, a claim made during the initial disclosure.
Just before the weekend the surprise level went off the scale as the New York-based bank revealed, via a regulatory filing, that the actual numbers were a little higher. How much higher? How does 76 million households and 7 million small businesses higher strike you? Of course, this can be played down by comparing it to other mega-breach statistics: the Target attack last year hit 110 million accounts, and the more recent eBay hack 145 million. That doesn't make the JP Morgan numbers any the less striking though, this is a bank we are talking about after all and bloody great big one at that. Let's not forget that JP Morgan is that largest bank in the USA by measure of assets. It insists that no financial information has been compromised, and further that there has been no breach of login data. Email addresses, names, addresses, phone numbers have all been accessed though. To be honest, this is a case where it is less worrying what information has been breached than the fact that the breach happened in the first place.
So what does the IT security world have to say about? DaniWeb has been collating the comments on the ITSec grapevine:
Alert Logic's chief security evangelist, Stephen Coty, says:
Looking at the data that was exposed it sounds like they gained access to a server that was used for marketing purposes. Perhaps for physical/cyber mailing of advertisements and notifications. There was mention that the data was organised by category of customer (Banking, Credit, Mortgage) with only name, address, telephone numbers and email addresses. This sounds like the credit card and banking information was secured and untouched by hackers. This type of data is stolen and sold on the underground for use of spam campaigned and url redirects to malicious sites.
Tenable's EMEA Technical Director, Gavin Millard, says:
Yet another breach of a huge amount of personal information but little detail of how the attack occurred is disclosed. Was it a phishing attack directed towards a JP Morgan employee, a zero day vulnerability utilised or simply a poorly configured edge device giving access? Organizations would benefit from more information sharing between investigators and interested affected parties, but today’s business environment does not support that as common practice. We need to take a closer look at why it’s problematic to share and what’s being done to improve information sharing. This would benefit every other business defending against attack.
Engineering manager at Rapid7, Tod Beardsley, says:
Unfortunately we may still see piggyback attacks where cybercriminals launch social engineering attacks to cash in on the customer anxiety that follows the news cycle surrounding reports of any big-name breach. The usual advice applies: If you get an e-mail or a call from a JP Morgan rep, feel free to thank them for contacting you and hang up. Customers should always initiate that contact by looking at their credit card or statement for the contact number; you simply can't trust that an incoming call or e-mail is legitimate and not a phishing attempt.
Global Director of Security Strategy at NTT Com Security, Garry Sidaway, says:
The good news on this story is the fact that the time to detect the breach is significantly shorter than the average. But it does still indicate the huge challenges every business has against the increasingly complex threat landscape. My concern now is making sure that the lessons are learned and that information security and risk management are embedded into the business to protect personal data . Also as we have seen through the Global Threat Intelligence report, how they manage the incident is also critical.
CTO of RedSeal Networks CTO, Dr. Mike Lloyd, says:
The apparent stealthiness of the breach at JPMC is notable – theft of information, without any known theft of money. It’s a reminder that criminals value information highly - much the same way that military commanders value battlefield intelligence, however obtained. It’s easier to spear-fish if you know where the target fish like to hang out, of course. It’s also worth noting that JPMorgan representatives commented that they immediately closed access paths. Ideally, vulnerable access paths would be closed off in advance, when not needed, but this is challenging in a large and fast-moving organization. Automated discovery of the ‘war room map’ is a great help, both in preventing such incidents, and in recovering quickly after them.
Head of Malware Intelligence at Malwarebytes Labs, Adam Kujawa, says:
Without actual account credential information, the cyber criminals would not be able to use victims’ credit cards or gain access to their bank accounts. However, if this information is coupled with already stolen credentials, it could be used to verify the criminal as the intended user of the credentials. In addition, probably the biggest issue victims will come in contact with is the likely flood of spam and phishing attacks. Using personal information like name, phone number, address, e-mail and the fact that these victims had accounts with JPMC means that attackers could send personalized phishing attacks to these users, pretending to be Chase and asking for login credentials. In addition, often times personal information like this is sold on the black market to advertisers and spam peddlers, so if anything, the cyber criminals who obtained this information will be selling it for that.