A breach of IT systems at JPMorgan Chase compromised personally identifiable information (PII) for more than 76 million households and 7 million businesses, according to an SEC filing recorded yesterday.
The breach totals up to the 11th largest by number of records compromised, though officials at the institution say the type of records stolen are not as severe as in other breaches, claiming that customer accounts are safe because no account details, social security numbers, or credit card numbers were pilfered in the attack, which was limited to names, addresses, phone numbers, and email addresses, as well as "internal Chase data used in providing connection with providing or offering services, such as the Chase line of business the user is affiliated with," the bank reported.
"Your money at JPMorgan Chase is safe," the bank told consumers in a statement about the breach. "Unlike recent attacks on retailers, we have seen no unusual fraud activity related to this incident. We don't believe that you need to change your password or account information."
The bank also says it doesn't plan to offer customers credit monitoring due to what it perceives as a low risk of fraud as a result of the incursion. However, security experts remain skeptical that this breach is as low-impact as the bank has cast the news.
While account information wasn't stolen, the effort attackers put into stealing the information they did abscond with implies its importance.
“The apparent stealthiness of the breach at JPMC is notable -- theft of information, without any known theft of money," says Dr. Mike Lloyd, CTO of RedSeal Networks. "It’s a reminder that criminals value information highly -- much the same way that military commanders value battlefield intelligence, however obtained."
The danger is that contact information and information about what kinds of accounts are held can help complete a picture of a victim when paired with additional information stolen elsewhere.
"If this information is coupled with already stolen credentials, it could be used to verify the criminal as the intended user of the credentials. In addition, probably the biggest issue victims will come in contact with is the likely flood of spam and phishing attacks," says Adam Kujawa, head of malware intelligence at Malwarebytes Labs. "Using personal information like name, phone number, address, e-mail, and the fact that these victims had accounts with JPMC means that attackers could send personalized phishing attacks to these users, pretending to be Chase and asking for login credentials."
Even more troubling, though, is the kind of access the attackers were able to gain on bank systems during their foray on the JPMorgan network. The bank has been mum with details about the attack, but undisclosed sources in a New York Times piece disclosed that the attack started in June and wasn't discovered until late July. Investigations found that the attackers made their way deep into internal systems, gaining full administrative privileges on more than 90 servers, according to those sources.
"The privacy information disclosed by the JP Morgan breach is trivial in comparison to the impact on the integrity of JP Morgan’s business," says Jeff Williams, CTO of Contrast Security.
He says creative attackers could use the attack in a number of ways, including to catalog the bank's technologies for use in future attacks, to access source control systems to insert malicious code, to corrupt databases over time, to install stealthy backdoors, or to even set up an "Office Space" type of attack that steals small amounts of money over time. "The details of this attack are relevant to consumers -- and not just because their privacy information might be disclosed, but because they are the stakeholders. Their money is at risk."