Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


JPMorgan Chase Catches Heat On July Breach

The July breach may have exposed cardholders' personal information -- so why did the bank wait more than 2 months to notify state officials and affected customers?

When consumers lose their credit or debit card, they're expected to notify the card issuer in a timely fashion to minimize any related fraud or other lasting damage. But in the case of JPMorgan Chase, which this week began warning that hackers may have obtained prepaid card data and personal information for 465,000 of its cardholders, the same notification rules don't appear to hold true.

While the breach of JPMorgan Chase bank's systems occurred in July and the bank detected it in the middle of September, bank officials waited two and a half months before they began warning affected consumers.

All told, the July breach reportedly affected 2% of the bank's 25 million users of UCard, which is a prepaid card. Bank officials said that immediately after detecting the breach, they fixed the problem that had been exploited by hackers and notified both the FBI and Secret Service about the breach. They also said that information relating to the bank's debit card, credit card, and prepaid Liquid card holders wasn't compromised.

[Security researchers have recovered a stash of stolen access credentials to Facebook, Google, and other sites. Read 2 Million Stolen Passwords Recovered.]

State officials in Connecticut this week said that the stolen information may have included names, social security numbers, bank account numbers, card numbers, dates of birth, security answers, passwords, addresses, and phone numbers. Such information, of course, would be useful for anyone seeking to commit identity theft.

According to some news reports, however, bank officials this week said that no personal information was stolen during the hack attack. Bank officials didn't immediately respond to an emailed request for clarification, nor did they respond to questions about how attackers gained access to the UCard systems or why the bank chose to wait so long before warning consumers. But according to news reports, while the stolen data was normally encrypted, it was being temporarily stored in plaintext format as a result of automated logging activity.

Bank spokesman Michael Fusco told Reuters that because there are no signs that attackers have employed the UCard data that may have been stolen, the bank has chosen to not issue replacement cards to the 465,000 affected consumers. However, the bank is offering them two years of free credit monitoring, according to Connecticut state officials. (Some news reports have said the monitoring will be offered for just one year; bank officials didn't immediately respond to an emailed request for clarification.)

State officials in Connecticut and Louisiana said they were first alerted to the UCard breach by the bank this week. Multiple states use the cards to provide services to residents, including child support payments, tax refunds, and unemployment benefits. Some businesses also use them to pay their employees.

Connecticut state treasurer Denise Nappier, in a statement issued Thursday, criticized the bank for not more warning about the breach, which affected 14,000 of the state's residents. "I am dismayed that JPMorgan Chase delayed informing my office of this security breach for two and a half months -- from mid-September, when they first learned of it, until this week," she said. "They should have picked up the phone immediately and called us. That the company failed to communicate this security breach in a timely manner raises concerns over its culture of compliance and broader governance issues."

Similarly, Kristy Nichols, the commissioner of administration for Louisiana -- where about 6,000 residents were affected by the breach -- said in a statement that the state would "hold JPMorgan Chase responsible to make certain that the rights and personal privacy of these Louisiana citizens is protected."

While full details of the breach haven't been released, Paul Ducklin, head of technology for Sophos in the Asia Pacific region, said that hackers gaining access to temporary files that the bank had failed to encrypt appeared to be to blame. "Financial transactions need scrupulous auditing, and that means keeping an accurate record somewhere of what happened, and when," he said in a blog post. "But logging can be a security risk as well as a benefit. Accordingly, businesses should keep all personal data encrypted, regardless of whether it's being stored to disk, or sent across a network."

In other words, the bank may have erred by failing to properly encrypt all sensitive data. "If you're logging sensitive data, don't wait until it reaches its final destination before encrypting it," Ducklin said.

The UCard breach is only the latest in a string of regulatory sanctions and attendant customer relations setbacks for JPMorgan Chase. For starters, in September the bank agreed to refund $309 million to 2.1 million consumers -- and pay $80 million in related fines -- after it enrolled consumers in additional credit card services for which they hadn't signed up, and which carried a monthly cost of between $7.99 and $11.99.

In October, the bank was ordered to pay $920 million in fines to settle a "London whale" trading mess involving derivatives trading losses worth $6.2 billion, which triggered investigations by both US and UK regulators, who slammed the bank for its poor internal controls.

And last month the bank was forced to cancel an #AskJPM Twitter marketing campaign that gave consumers the chance to question investment banker Jimmy Lee, who was behind Twitter's recent public valuation. But many consumers embraced the two-way communication in an unexpected way, using it to vent their rage at both the bank and Wall Street at large.

There's no such thing as perfection when it comes to software applications, but organizations should make every effort to ensure that their developers do everything in their power to get as close as possible. This Dark Reading report, Integrating Vulnerability Management Into The Application Development Process, examines the challenges of finding and remediating bugs in applications that are growing in complexity and number, and recommends tools and best practices for weaving vulnerability management into the development process from the very beginning. (Free registration required.)

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Data Privacy Protections for the Most Vulnerable -- Children
Dimitri Sirota, Founder & CEO of BigID,  10/17/2019
Sodinokibi Ransomware: Where Attackers' Money Goes
Kelly Sheridan, Staff Editor, Dark Reading,  10/15/2019
Register for Dark Reading Newsletters
White Papers
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
2019 Online Malware and Threats
2019 Online Malware and Threats
As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-10-20
** DISPUTED ** The BIOS configuration design on ASUS ROG Zephyrus M GM501GS laptops with BIOS 313 relies on the main battery instead of using a CMOS battery, which reduces the value of a protection mechanism in which booting from a USB device is prohibited. Attackers who have physical laptop access ...
PUBLISHED: 2019-10-19
The Video_Converter app 0.1.0 for Nextcloud allows denial of service (CPU and memory consumption) via multiple concurrent conversions because many FFmpeg processes may be running at once. (The workload is not queued for serial execution.)
PUBLISHED: 2019-10-19
Information Disclosure is possible on WAGO Series PFC100 and PFC200 devices before FW12 due to improper access control. A remote attacker can check for the existence of paths and file names via crafted HTTP requests.
PUBLISHED: 2019-10-19
templates/pad.html in Etherpad-Lite 1.7.5 has XSS when the browser does not encode the path of the URL, as demonstrated by Internet Explorer.
PUBLISHED: 2019-10-18
In the Linux kernel before 5.3.4, a reference count usage error in the fib6_rule_suppress() function in the fib6 suppression feature of net/ipv6/fib6_rules.c, when handling the FIB_LOOKUP_NOREF flag, can be exploited by a local attacker to corrupt memory, aka CID-ca7a03c41753.