Operations

10/3/2014
11:22 AM
Connect Directly
Twitter
Twitter
RSS
E-Mail
50%
50%

83 Million Compromised In JPMorgan Chase Breach

Bank says consumers and businesses don't even need to change passwords, but security experts believe attack is more serious than portrayed.

A breach of IT systems at JPMorgan Chase compromised personally identifiable information (PII) for more than 76 million households and 7 million businesses, according to an SEC filing recorded yesterday.

The breach totals up to the 11th largest by number of records compromised, though officials at the institution say the type of records stolen are not as severe as in other breaches, claiming that customer accounts are safe because no account details, social security numbers, or credit card numbers were pilfered in the attack, which was limited to names, addresses, phone numbers, and email addresses, as well as "internal Chase data used in providing connection with providing or offering services, such as the Chase line of business the user is affiliated with," the bank reported.

"Your money at JPMorgan Chase is safe," the bank told consumers in a statement about the breach. "Unlike recent attacks on retailers, we have seen no unusual fraud activity related to this incident. We don't believe that you need to change your password or account information."

The bank also says it doesn't plan to offer customers credit monitoring due to what it perceives as a low risk of fraud as a result of the incursion. However, security experts remain skeptical that this breach is as low-impact as the bank has cast the news.

While account information wasn't stolen, the effort attackers put into stealing the information they did abscond with implies its importance.

“The apparent stealthiness of the breach at JPMC is notable -- theft of information, without any known theft of money," says Dr. Mike Lloyd, CTO of RedSeal Networks. "It’s a reminder that criminals value information highly -- much the same way that military commanders value battlefield intelligence, however obtained."

The danger is that contact information and information about what kinds of accounts are held can help complete a picture of a victim when paired with additional information stolen elsewhere.

"If this information is coupled with already stolen credentials, it could be used to verify the criminal as the intended user of the credentials. In addition, probably the biggest issue victims will come in contact with is the likely flood of spam and phishing attacks," says Adam Kujawa, head of malware intelligence at Malwarebytes Labs. "Using personal information like name, phone number, address, e-mail, and the fact that these victims had accounts with JPMC means that attackers could send personalized phishing attacks to these users, pretending to be Chase and asking for login credentials."

Even more troubling, though, is the kind of access the attackers were able to gain on bank systems during their foray on the JPMorgan network. The bank has been mum with details about the attack, but undisclosed sources in a New York Times piece disclosed that the attack started in June and wasn't discovered until late July. Investigations found that the attackers made their way deep into internal systems, gaining full administrative privileges on more than 90 servers, according to those sources.

"The privacy information disclosed by the JP Morgan breach is trivial in comparison to the impact on the integrity of JP Morgan’s business," says Jeff Williams, CTO of Contrast Security.

He says creative attackers could use the attack in a number of ways, including to catalog the bank's technologies for use in future attacks, to access source control systems to insert malicious code, to corrupt databases over time, to install stealthy backdoors, or to even set up an "Office Space" type of attack that steals small amounts of money over time. "The details of this attack are relevant to consumers -- and not just because their privacy information might be disclosed, but because they are the stakeholders. Their money is at risk." 

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
ecowper
50%
50%
ecowper,
User Rank: Apprentice
10/8/2014 | 1:47:53 PM
83 Million At Direct Risk Now
As mentioned above, the bottom line is that even without account numbers, these sort of details allow malicious folks to attack you personally with the goal of getting money from you. Sometimes they do so directly, by figuring out your online banking credentials (or your email credentials) and then directly taking money out of your bank account. Alternatively, it gives them enough information for social engineering attacks. In any case, it's worrisome for everyone involved in the breach.

One of the best steps that can be taken to protect against this sort of thing is to enable two-factor authentication on any online account that offers it. Since Facebook, Google, Twitter, and most banks allow for 2FA, and the 2FA usually involves your cell phone, there is no excuse for not enabling 2FA other than the general user not being aware of such a thing. 
Sara Peters
50%
50%
Sara Peters,
User Rank: Author
10/6/2014 | 2:20:50 PM
Re: I'm becoming numb
@SecOps Specialists   All good points. I have been meaning to look around for a good credit union for years, actually. 
SecOpsSpecialist
50%
50%
SecOpsSpecialist,
User Rank: Moderator
10/6/2014 | 2:12:10 PM
Re: I'm becoming numb
@Sara -

In response to your third question; I go with Credit Unions over big banks for several reasons.

1. They know you by name at many of the branches - often times in big banks, unless it's a local branch that you visit every day, they don't know you.

2. You aren't just another account to them. Meaning that when you call you aren't just an account number, you're Sara Peters, not Ms. Peters or account 15978234.

3. They are less likely to try to pull fradulent account acts such as letting all large charge transactions go through then nail you with fees upon fees for the account being negative.

Example: You have a bunch of normal transactions then decide to buy something expensive. They let the expensive item go through, putting your account at just the brink before negative, then the rest of the charges go through and they hit you with fees for every single charge that puts the account negative, then charge you another fee for the account being negative in the first place.

4. Credit Unions are owned by the members, not stockholders, so you have more say in what the institution does with your money rather than a bank.

That's just my two cents, for what they are worth.

Sara Peters
50%
50%
Sara Peters,
User Rank: Author
10/6/2014 | 1:42:31 PM
I'm becoming numb
I'm a Chase customer, and I'm going to stay one, for a few reasons. 1. The info the attackers got is the same stuff they could find about me just about anywhere else, and despite the risks Ericka points out, I'm less worried about this than I am about plenty of other attacks. 2. Over the years Chase has provided  lots of services to prevent, detect, and remediate fraudulent use of my account. 3. WHAT ARE MY OPTIONS? It seems like every bank everywhere is either going bankrupt, taking government bailout money to pay for their multi-million dollar bonuses, or having a breach. 
SecOpsSpecialist
50%
50%
SecOpsSpecialist,
User Rank: Moderator
10/6/2014 | 12:53:47 PM
The meaning of the word "secure"
I used to be a customer of JP Morgan. Then I found out they were compromised. I switched my primary account to a different institution. I've been watching my bank account like a hawk ever since and I have my own personal failsafes in place to ensure that if anything weird happens, I'm notified immediately. But I have to agree with Marilyn, it puts a whole new perspective on what is "secure".

I think it's pretty bad on them to say that the loss of PII isn't enough to warrant the use of credit monitoring for their customers. They can claim that SSNs were not stolen, but how do they really know the extent of the damage, considering that the attack started in June and they didn't discover it until July? That to me says about the same as the Target breach where they ignored alarms for months.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
10/6/2014 | 10:49:02 AM
What's scariest about the JP Morgan breach
When retailers get breached -- it's annoying and problematic, especially if it's your card data that is compomised. But when a financial institution like JP Morgan -- where you would expect iron-clad security -- is attacked, it really does challenge some of our fundamental beliefs. And if it could happen to JP Morgan, you can bet it will happen at other big banks. 
Higher Education: 15 Books to Help Cybersecurity Pros Be Better
Curtis Franklin Jr., Senior Editor at Dark Reading,  12/12/2018
Worst Password Blunders of 2018 Hit Organizations East and West
Curtis Franklin Jr., Senior Editor at Dark Reading,  12/12/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
10 Best Practices That Could Reshape Your IT Security Department
This Dark Reading Tech Digest, explores ten best practices that could reshape IT security departments.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-20161
PUBLISHED: 2018-12-15
A design flaw in the BlinkForHome (aka Blink For Home) Sync Module 2.10.4 and earlier allows attackers to disable cameras via Wi-Fi, because incident clips (triggered by the motion sensor) are not saved if the attacker's traffic (such as Dot11Deauth) successfully disconnects the Sync Module from the...
CVE-2018-20159
PUBLISHED: 2018-12-15
i-doit open 1.11.2 allows Remote Code Execution because ZIP archives are mishandled. It has an upload feature that allows an authenticated user with the administrator role to upload arbitrary files to the main website directory. Exploitation involves uploading a ".php" file within a "...
CVE-2018-20157
PUBLISHED: 2018-12-15
The data import functionality in OpenRefine through 3.1 allows an XML External Entity (XXE) attack through a crafted (zip) file, allowing attackers to read arbitrary files.
CVE-2018-20154
PUBLISHED: 2018-12-14
The WP Maintenance Mode plugin before 2.0.7 for WordPress allows remote authenticated users to discover all subscriber e-mail addresses.
CVE-2018-20155
PUBLISHED: 2018-12-14
The WP Maintenance Mode plugin before 2.0.7 for WordPress allows remote authenticated subscriber users to bypass intended access restrictions on changes to plugin settings.