The Green Sheet Online Edition
October 27, 2014 • Issue 14:10:02
JPMorgan breach gets complicated
First it was reported that the recent JPMorgan Chase & Co. data breach was limited to JPMorgan. Then it came out that the breach may have targeted a few other big banks. Now it is being widely reported that the hack may have targeted 13 other financial institutions (FIs) as well. The source of the attack is apparently still unknown.
In the JPMorgan breach, customer information pertaining to 76 million households and 7 million small businesses was compromised, according to an 8-K filing the bank made to the U.S. Securities and Exchange Commission on Oct. 2, 2014. JPMorgan claimed that the data compromise, which reportedly began the previous June and only came to light in July, was limited to names, addresses, phone numbers, and email addresses, and did not include financial account details, such as Social Security and credit card numbers, or the user IDs and passwords that would provide online access to those details.
On the Chase.com website, JPMorgan provided cardholders with further information about the breach, noting that the compromise affected its online banking portals, Chase.com and JPMorganOnline, as well as its mobile apps, ChaseMobile and JPMorgan Mobile. The fraudsters also compromised "internal Chase data used in connection with providing or offering services, such as the Chase line of business the user is affiliated with," JPMorgan said.
The bank is not offering its customers credit/identity theft monitoring because of its claim that no financial information was breached. Both the FBI and the U.S. Secret Service are investigating the incident.
Growing in sophistication
Most of the recent big breaches have occurred at national retailers like Target Corp. and Home Depot Inc. But the JPMorgan breach, with its tentacles extending to other FIs, highlights a troubling aspect of the data breach threat landscape – that even the largest and most technologically sophisticated financial services firms are not immune.
Michele Borovac, Vice President at cloud-control company HyTrust, is not surprised by the size and scope of the breach. "Data is the new currency, and clever thieves have figured out how to breach the perimeter security measures most companies have relied on," she said. "These breaches continue to show similarities to those experienced by Target and Home Depot: hackers gain access to privileged administrator accounts and then can continue on as 'authorized' users, allowing them to bypass traditional detection systems and gain unfettered access to data."
Adam Kujawa, Head of Malware Intelligence at the research arm of the anti-malware firm Malwarebytes, said, "Typically, targeted attacks take a multipronged approach where the attackers go after numerous points of entry. For example, they will gain intelligence on the physical and digital presence of the target’s servers and any kind of entry way through a direct or indirect route."
Hackers then conduct intelligence gathering activities to target individual servers or unwilling accomplices to finagle their way into systems.
According to Martin Walter, Senior Director at cybersecurity firm RedSeal Networks, another problem facing the retail and financial services industries is that hackers have time and money to plan and execute attacks, while IT departments are always on the defensive. "This confronts customers with a catch 22 situation in which the IT department has to be agile and quickly respond to demands of the changing business landscape, but at the same time, maintain airtight network security in a growingly complex IT infrastructure," he said.
Fraudsters are also able to replicate successful attacks. "As the recent broadside of attacks across multiple financial companies shows, attackers find one weapon, then quickly re-use it, target after target, looking for anyone who has left that specific defensive gap," said Dr. Mike Lloyd, Chief Technology Officer at RedSeal Networks. "This forces defenders to coordinate – both externally, sharing information between erstwhile competitors, and even internally, since any weakness anywhere in the organization can be found and exploited in minutes."
Walter believes the solution to the data breach onslaught involves network segmentation to limit fraudsters' wiggle room if they do get inside a system. Borovic added a piece of advice: businesses should assume that they have already been breached.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.