@ODA155    I agree.  Software is just one piece of this puzzle.   And I thank you for taking the time to do the deep thinking on the issue.  I agree with your listed shortcomings, chief among them is research and incorporating security tools within the current infrastructure.

And it sounds simple but you know someone was alerted and apparently it was ignored.  That is an aspect that makes this all the more reason that someone should loose their job over this.   Which we are and will continue to wait on.

Regardless your points are well taken, and it might be wise for Chase and all the rest of these companies to take heed to your recommendations (and to anyone who cares to comment ) because if this continues to happen, it won't continue to be funny.

@ODA155    Happy New Year to you as well  !     No I am not a Chase insider,   I should have said " I am reasonably certain...." instead of I know. I would never work at Chase , though I guess I could be bought.  : )  

No I am just a citizen and admin who has not quite gotten over the financial industry induced depression quite yet.   My opinions have also been formed by being a former customer of theirs - the bank is simply terrible.  If they invested as much in security as they do for expansion( a Chase on every corner ring a bell ?) , this issue probably would have never happened.

Rumor has it they are the oldest Bank in the U.S. and they act like it - so it is with great glee that I expose a few more aspects of Chase other than their inability to safeguard the data entrusted them.

I am patiently waiting for the next blunder by Chase ( and Sony for that matter) because it is sure to happen.  Just in the case of Chase though, we won't know exzactly know when the latest breech happened until they are apparently good and ready.

It may be time to remind Chase execs again, that neither they nor their vaunted business is above the Law.

• doing a poor job of product research, evaluation and planning on how to insert them into the current infrastructure.

• turning the systems over to already over-taxed, under-staffed sysadmins who put security behind operations and performance.

• security systems turned down or alerts being ignored

@jamieinmontreal        You raise some excellent points about this issue of security.   And I do certainly agree that the Security industry does not do itself any favors with the customary convoluted software which would tax the best admins among us.  

 It reminds me of troubleshooting a firewall about 10 years ago - the manual at the time was the size of a book you might see in Law school or Congress.  It was a major challenge to sift through an interface that was even at that time confusing at best.   I finally did get access through a port that was needed, but it was one of my most challenging projects up until that point.   So I understand security is no easy job, but vendors can and should make things much easier for admins.

And you bring up another great point about the vastness of security layers.  This certainly makes this issue even more difficult.    Not to mention the regulations.

But I think what annoys me most is what Kelly mentioned earlier in the thread, if we can't depend on those in the the financial industry to take those steps that mere mortals fear to tread, what hope do we really have ?

Sony is a prime example of this - many believe that there is a separate group which took down their Playstation network.     So not only have they been breeched, it is by two distinct groups !    What security hole are these companies overlooking ?   I know security experts hate to think they don't have a solution, but in Sony's case  - this appears to be true.

But in the case of Chase ?     There is simply no excuse, ( not to imply there is one for Sony either) these companies have more than enough resources to get the best experts.   This did not happen and why ?   Because as you mention (and I also agree ) security is seen as an expense and it is clear companies have a conducted risk analysis on the amount of bad press and potential loss that a breech might cause.   

I like your ideas for improvement - I hope the industry hears us because it is obvious that the practices that are in place  -  Just are not working.

• New Security industry standards as opposed to Regulatory compliance becoming a driver  "Industry standard X will help you meet the following Cyber security regulations..." kind of a thing.
• Consolidation of industry players, MSPs, SIs, Resellers, VARS, LARS, Providers, consultants coming together to create security driven services and bundling products that work well together.
• Shifting budgets away from CapEX to Operationalised models with hybrid cloud coming to the fore.   This will be in tandem with a shift in focus from perimiter "build me a bigger wall" security to knowledge based "who are you and what do you want" security.   Identity management will become a critical enabler of this flexible, cloud based, spinup/spindown Information technology infrastructure.

What's most disturbing here is that we look to financial institutions as the "gold standard" for security.

@Kelly       Your point is absolutely correct, there is no argument there.  But I ask, was this assumption ever realistic and earned ?   The Banks will argue they have a low rate of breeches   Well what is that actually due to ?  It has been implied that the financial industry was the best in this regard because after all - security is in their best interest.

And that is where the issue of security becomes blurred IMO.   What is the business that Chase (in this case) is in ?   It is not the security business nor altruism.   It is deposits and profits.   That is is all Chase and any other financial institution is concerned with because that is their business.   

This issue of security, (oh well ) that is regulated by the Government, in this case the 3rd. party to absorb blame should something go wrong,  Which ironically is needed because without it (Government) nothing would happen in a consistent way.

I refuse to see this latest "dropped security ball" from Chase, Sony ( and Target for that matter ) as purely a technical issue - that is too easy in my opinion.   Nor ignore that this is a reflection of their culture and business practice in general.  There is no shying away from this IMO.   

 The reactions of Chase  ( the delayed announcement..etc) and Sony ( it's everyone's problem response) only underscore the fact that these companies are not in the business of security nor apparently in employing it effectively.

Dr.T      That is what I am saying, two-form factor authentication should have been a basic requirement.   This is a Bank not an online site selling t-shirts.   Someone ought to loose their job(s), but this Chase, where your account is more likely to be closed than any potential security hole.