JPMorgan Chase & Co., the largest bank in the United States by assets, revealed on Thursday in a filing with the Securities and Exchange Commission (SEC) that data on roughly 76 million households and 7 million small businesses was compromised in the breach disclosed this summer.
According to the company, there’s no evidence that the attackers accessed account numbers, passwords, user IDs, dates of birth, Social Security numbers or other account information. Instead, the hackers gained access to user contact information such as names, addresses, email addresses and phone numbers.
JPMorgan says it still hasn’t seen any fraudulent transactions that could be related to the incident. The organization also reiterated that customers are not liable for unauthorized transactions.
While people familiar with the investigation claim significant progress has been made, the security industry has pointed out the implications of these latest revelations.
And the Feedback Begins…
Joshua Douglas, CTO, Commercial Cyber Solution Strategies at Raytheon Cyber Products:
“No industry large or small is immune from cyber espionage or cyber breaches. We’re now living in a world where everyone is connected by the internet, relationships, including financial institutions. Enterprises need to continue to push the envelope and think ‘outside of the box’ past just guarding their perimeter networks. They need to monitor and look at the connections between companies and people and the way these entities relate to one another and behave with one another in their day to day connections.”
Rob Sadowski, Director of Technology Solutions, RSA:
“The details from this latest disclosure serve as another reminder that any organization that holds personal information should consider that information an asset that will be targeted by cybercriminals. Constant diligence is required to protect this data, including assessment of likely threat actors who may seek it and intelligence on the tactics they may employ to get at. Despite the sophistication and capabilities that the financial sector has developed to defend against cyber attacks, constant assessment of new threats and risks, visibility into potential attacks and the agility to investigate and respond remains paramount.
As long as personal information is used as a principal way to reset passwords or serves as one of a limited set of authentication factors, the risks associated with this kind of data and its value to cybercriminals will persist.”
Paul Lipman, CEO of iSheriff:
“In today’s world in which employees are increasingly mobile, network perimeter defense is simply no longer sufficient or acceptable. Once an employee’s device leaves the network, it is highly vulnerable and represents an attractive attack vector for cyber-criminals. Financial institutions that are looking to learn from the JPMorgan breach should consider new approaches to extending the network perimeter to cover all devices at all times – preferably through a pervasive cloud-based protection layer that is continually updated and monitored against potential attacks.”
Gavin Millard, Technical Director, Tenable Network Security:
“Yet another breach of a huge amount of personal information but little detail of how the attack occurred is disclosed. Was it a phishing attack directed towards an employee, a zero day vulnerability utilized or simply a poorly configured edge device giving access?
Organizations would benefit from more information sharing between investigators and interested affected parties, but today’s business environment does not support that as common practice. We need to take a closer look at why it’s problematic to share and what’s being done to improve information sharing. This would benefit every other business defending against attack.”
Tal Klein, VP of strategy and marketing for Adallom:
“The average layperson sees the word ‘breach’ and, thinking they’ve been hacked-along with all the negative connotations- struggles to determine what to do next. This puts them in the precarious position of having to immediately make a haphazard impact and remediation assessment, something that takes enterprise risk managers months to accomplish.
In the JP Morgan case, only ‘seed’ data was exfiltrated – meaning names, email addresses, phone numbers – basically requiring no consumer-side remediation, whereas the Home Depot breach remediation was a complicated, confusing and expensive process of filing claims, replacing credit cards and monitoring credit activity. While the differences may have been evident for those of us ‘in the biz,’ it was not communicated to the mainstream media who covered the events and thus was not well understood by the public.
In general, treating all data security incidents as a ‘breach’ in the generic fuels the misconception that all breaches are created equal, perpetuates the tendency for media coverage to focus on misleading elements of a data breach and may result in poorly informed remediation response either because a breach has been overhyped or because the public has simply grown weary of hyperbolic coverage – in other words ‘data breach fatigue.’
If there’s one lesson learned from these well-publicized data breaches, it’s that risk management must be an ongoing and transparent process if industry is to engender trust with the public.”
Zach Lanier, Senior Security Researcher at Duo Security:
“It’s not uncommon for the affected organization (or investigators) to deflect in a matter like this, more so when there’s an active investigation underway. However, it’s peculiar that JPMorgan Chase would so adamantly deny it, especially in light of conflicting information. The proof is in the pudding, I guess, and we’ll see what happens. If pastebin sites start filling up with JPMorgan-related dumps, well…that’d be a pretty tell-tale sign of some true badness.
Attacks such as these put heavy emphasis on the significance of stealing credentials. Moving forward, I can’t stress enough the need for two-factor authentication. By enabling two-factor authentication as the first layer of defense, online banking and financial firms can protect themselves and their users from attacks that steal passwords and successfully authenticate from a remote location and device.”
Contrast Security CTO Jeff Williams:
“The news of the extent of the hack on JP Morgan is deeply disturbing. But focusing on the number of accounts breached is potentially misleading. This is far more serious than recent POS credit card number breaches. This isn’t just a normal privacy breach, this is the real deal. In this breach, attackers took full control of millions of personal and business accounts – meaning that they could transfer funds, disclose information, close accounts, and basically do whatever they want to the data.
Apparently, JP Morgan reported that there was no evidence that account information, including passwords or Social Security numbers, were taken and that no money was stolen. That’s not surprising if the attackers had total control over the servers, log files, and databases. Even inexperienced hackers know how to exfiltrate data without being detected and how to cover their tracks.
The bottom line is that the attackers were in total control of at least 90 servers (that they know of) for over two months (as far as they know). Privacy laws mandate that entities report information about breaches that involve personal information. But the privacy information disclosed by the JP Morgan breach is trivial in comparison to the impact on the integrity of JP Morgan’s business.”
Dr. Mike Lloyd, CTO of RedSeal Networks:
“The apparent stealthiness of the breach at JPMC is notable – theft of information, without any known theft of money. It’s a reminder that criminals value information highly – much the same way that military commanders value battlefield intelligence, however obtained. It’s easier to spear-fish if you know where the target fish like to hang out, of course.
It’s also worth noting that JPMorgan representatives commented that they immediately closed access paths. Ideally, vulnerable access paths would be closed off in advance, when not needed, but this is challenging in a large and fast-moving organization. Automated discovery of the ‘war room map’ is a great help, both in preventing such incidents, and in recovering quickly after them.”
Steve Hultquist, chief evangelist at RedSeal Networks added:
“The fact that JPMorgan Chase could be breached should send a shiver of fear through every organization on the planet. They are well aware of both the defenses necessary and the importance of protecting against concerted, automated attacks. However, this breach demonstrates that even the best reactive technology and processes aren’t enough.
Organizations need to deploy automated analysis of their entire end-to-end network access paths, using technology to find misconfigurations, unexpected consequences of configuration interactions, and other unanticipated results of the complexity of modern networked infrastructures. Using proactive cyberattack prevention, organizations can be sure that their monitoring and reactive technologies are properly placed, that their network zones are correctly implemented, and can more precisely understand the implications of their overall set of network configurations.”
Until Next Friday…Have a Great Weekend!