Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


11:22 AM
Connect Directly

83 Million Compromised In JPMorgan Chase Breach

Bank says consumers and businesses don't even need to change passwords, but security experts believe attack is more serious than portrayed.

A breach of IT systems at JPMorgan Chase compromised personally identifiable information (PII) for more than 76 million households and 7 million businesses, according to an SEC filing recorded yesterday.

The breach totals up to the 11th largest by number of records compromised, though officials at the institution say the type of records stolen are not as severe as in other breaches, claiming that customer accounts are safe because no account details, social security numbers, or credit card numbers were pilfered in the attack, which was limited to names, addresses, phone numbers, and email addresses, as well as "internal Chase data used in providing connection with providing or offering services, such as the Chase line of business the user is affiliated with," the bank reported.

"Your money at JPMorgan Chase is safe," the bank told consumers in a statement about the breach. "Unlike recent attacks on retailers, we have seen no unusual fraud activity related to this incident. We don't believe that you need to change your password or account information."

The bank also says it doesn't plan to offer customers credit monitoring due to what it perceives as a low risk of fraud as a result of the incursion. However, security experts remain skeptical that this breach is as low-impact as the bank has cast the news.

While account information wasn't stolen, the effort attackers put into stealing the information they did abscond with implies its importance.

“The apparent stealthiness of the breach at JPMC is notable -- theft of information, without any known theft of money," says Dr. Mike Lloyd, CTO of RedSeal Networks. "It’s a reminder that criminals value information highly -- much the same way that military commanders value battlefield intelligence, however obtained."

The danger is that contact information and information about what kinds of accounts are held can help complete a picture of a victim when paired with additional information stolen elsewhere.

"If this information is coupled with already stolen credentials, it could be used to verify the criminal as the intended user of the credentials. In addition, probably the biggest issue victims will come in contact with is the likely flood of spam and phishing attacks," says Adam Kujawa, head of malware intelligence at Malwarebytes Labs. "Using personal information like name, phone number, address, e-mail, and the fact that these victims had accounts with JPMC means that attackers could send personalized phishing attacks to these users, pretending to be Chase and asking for login credentials."

Even more troubling, though, is the kind of access the attackers were able to gain on bank systems during their foray on the JPMorgan network. The bank has been mum with details about the attack, but undisclosed sources in a New York Times piece disclosed that the attack started in June and wasn't discovered until late July. Investigations found that the attackers made their way deep into internal systems, gaining full administrative privileges on more than 90 servers, according to those sources.

"The privacy information disclosed by the JP Morgan breach is trivial in comparison to the impact on the integrity of JP Morgan’s business," says Jeff Williams, CTO of Contrast Security.

He says creative attackers could use the attack in a number of ways, including to catalog the bank's technologies for use in future attacks, to access source control systems to insert malicious code, to corrupt databases over time, to install stealthy backdoors, or to even set up an "Office Space" type of attack that steals small amounts of money over time. "The details of this attack are relevant to consumers -- and not just because their privacy information might be disclosed, but because they are the stakeholders. Their money is at risk." 

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
10/8/2014 | 1:47:53 PM
83 Million At Direct Risk Now
As mentioned above, the bottom line is that even without account numbers, these sort of details allow malicious folks to attack you personally with the goal of getting money from you. Sometimes they do so directly, by figuring out your online banking credentials (or your email credentials) and then directly taking money out of your bank account. Alternatively, it gives them enough information for social engineering attacks. In any case, it's worrisome for everyone involved in the breach.

One of the best steps that can be taken to protect against this sort of thing is to enable two-factor authentication on any online account that offers it. Since Facebook, Google, Twitter, and most banks allow for 2FA, and the 2FA usually involves your cell phone, there is no excuse for not enabling 2FA other than the general user not being aware of such a thing. 
Sara Peters
Sara Peters,
User Rank: Author
10/6/2014 | 2:20:50 PM
Re: I'm becoming numb
@SecOps Specialists   All good points. I have been meaning to look around for a good credit union for years, actually. 
User Rank: Moderator
10/6/2014 | 2:12:10 PM
Re: I'm becoming numb
@Sara -

In response to your third question; I go with Credit Unions over big banks for several reasons.

1. They know you by name at many of the branches - often times in big banks, unless it's a local branch that you visit every day, they don't know you.

2. You aren't just another account to them. Meaning that when you call you aren't just an account number, you're Sara Peters, not Ms. Peters or account 15978234.

3. They are less likely to try to pull fradulent account acts such as letting all large charge transactions go through then nail you with fees upon fees for the account being negative.

Example: You have a bunch of normal transactions then decide to buy something expensive. They let the expensive item go through, putting your account at just the brink before negative, then the rest of the charges go through and they hit you with fees for every single charge that puts the account negative, then charge you another fee for the account being negative in the first place.

4. Credit Unions are owned by the members, not stockholders, so you have more say in what the institution does with your money rather than a bank.

That's just my two cents, for what they are worth.

Sara Peters
Sara Peters,
User Rank: Author
10/6/2014 | 1:42:31 PM
I'm becoming numb
I'm a Chase customer, and I'm going to stay one, for a few reasons. 1. The info the attackers got is the same stuff they could find about me just about anywhere else, and despite the risks Ericka points out, I'm less worried about this than I am about plenty of other attacks. 2. Over the years Chase has provided  lots of services to prevent, detect, and remediate fraudulent use of my account. 3. WHAT ARE MY OPTIONS? It seems like every bank everywhere is either going bankrupt, taking government bailout money to pay for their multi-million dollar bonuses, or having a breach. 
User Rank: Moderator
10/6/2014 | 12:53:47 PM
The meaning of the word "secure"
I used to be a customer of JP Morgan. Then I found out they were compromised. I switched my primary account to a different institution. I've been watching my bank account like a hawk ever since and I have my own personal failsafes in place to ensure that if anything weird happens, I'm notified immediately. But I have to agree with Marilyn, it puts a whole new perspective on what is "secure".

I think it's pretty bad on them to say that the loss of PII isn't enough to warrant the use of credit monitoring for their customers. They can claim that SSNs were not stolen, but how do they really know the extent of the damage, considering that the attack started in June and they didn't discover it until July? That to me says about the same as the Target breach where they ignored alarms for months.
Marilyn Cohodas
Marilyn Cohodas,
User Rank: Strategist
10/6/2014 | 10:49:02 AM
What's scariest about the JP Morgan breach
When retailers get breached -- it's annoying and problematic, especially if it's your card data that is compomised. But when a financial institution like JP Morgan -- where you would expect iron-clad security -- is attacked, it really does challenge some of our fundamental beliefs. And if it could happen to JP Morgan, you can bet it will happen at other big banks. 
7 Old IT Things Every New InfoSec Pro Should Know
Joan Goodchild, Staff Editor,  4/20/2021
Cloud-Native Businesses Struggle With Security
Robert Lemos, Contributing Writer,  5/6/2021
Defending Against Web Scraping Attacks
Rob Simon, Principal Security Consultant at TrustedSec,  5/7/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-05-16
The JSON web services in Liferay Portal 7.3.4 and earlier, and Liferay DXP 7.0 before fix pack 97, 7.1 before fix pack 20 and 7.2 before fix pack 10 may provide overly verbose error messages, which allows remote attackers to use the contents of error messages to help launch another, more focused att...
PUBLISHED: 2021-05-16
Denial-of-service (DoS) vulnerability in the Multi-Factor Authentication module in Liferay DXP 7.3 before fix pack 1 allows remote authenticated attackers to prevent any user from authenticating by (1) enabling Time-based One-time password (TOTP) on behalf of the other user or (2) modifying the othe...
PUBLISHED: 2021-05-16
The SimpleCaptcha implementation in Liferay Portal 7.3.4, 7.3.5 and Liferay DXP 7.3 before fix pack 1 does not invalidate CAPTCHA answers after it is used, which allows remote attackers to repeatedly perform actions protected by a CAPTCHA challenge by reusing the same CAPTCHA answer.
PUBLISHED: 2021-05-16
Delta Industrial Automation CNCSoft ScreenEditor Versions 1.01.28 (with ScreenEditor Version 1.01.2) and prior are vulnerable to an out-of-bounds read while processing project files, which may allow an attacker to execute arbitrary code.
PUBLISHED: 2021-05-16
Cross-site scripting (XSS) vulnerability in the Asset module's categories administration page in Liferay Portal 7.3.4 allows remote attackers to inject arbitrary web script or HTML via the site name.