In a massive data breach of information that experts warn could fuel a wave of phishing attacks, JPMorgan Chase said attackers stole the contact information of as many as 7 million businesses and 76 million households from the company's database servers.
In a Securities and Exchange Commission filing after the close of financial markets Thursday, the financial giant said investigators determined that a cyberattack disclosed in August resulted in the exposure of customer names, addresses, phone numbers and email addresses as well as internal JPMorgan Chase information related to providing or offering services.
Customers that used Chase.com, JPMorganOnline, Chase Mobile or JPMorgan Mobile were impacted by the lapse, the company said.
No credit or debit cards were exposed in the breach. Passwords and user IDs were not compromised, the company said. Investigators did not find any evidence that sensitive customer account information, dates of birth or Social Security numbers were exposed in the security lapse.
"The firm continues not to have seen any unusual customer fraud related to this incident," the company said in its filing.
The FBI confirmed in late August that it was determining the scope of the attacks against several American financial institutions following the disclosure of the JPMorgan breach. The investigation had reportedly extended to as many as four other U.S. banks and authorities said the security lapse may have Russian or Eastern European ties. Just prior to the JPMorgan Chase announcement, The New York Times reported that the attackers used a zero-day exploit to gain access to the servers containing the customer data. Zero-day exploits target a previously unknown vulnerability in software.
Solution providers tell CRN that while the breach is massive in size, it pales in comparison to the string of credit card breaches and the account credential breaches that gave attackers access to email addresses and passwords. The JPMorgan security lapse likely gave attackers narrow access into systems containing less sensitive information, solution providers said. Sensitive personally identifiable information and account numbers are typically segmented from customer lists used for marketing purposes. Meanwhile, the systems containing the sensitive data are encrypted and monitored for probing attempts.
Even if the most sensitive data remains protected, the breach headlines still have an impact, said Michael Aquino, director of cloud services at Cetan. Small and midsize businesses may look at the breach and say even the big financial institutions can't protect themselves, Aquino said.
"No matter how much you spend you're still vulnerable, so the best thing you can do is minimize the seriousness of a lapse," Aquino said. "This is a reminder that even with access to the top security technology, one little mess-up can be costly."
Financial institutions with the budgeting for IT security teams and much of the latest security technology are also very closely monitoring system logs, correlating events and flagging and investigating activity that could be suspicious, said Brad Taylor, CEO of Irvine, Calif.-based managed security services provider Proficio. Taylor, whose firm specializes in providing log analysis and alerts to clients, said midsize organizations often need the extra help to identify and investigate activity that could be a threat.
"Just having malware on a system isn't the only thing that should be detected," Taylor said. "There are other systems that are impacted when a cybercriminal is in your network and, if you have the tools to spot those issues, you can contain an issue before it reaches the keys to the kingdom."
The lapse could give attackers enough information to craft convincing social engineering attacks against customers, security experts warn.
"Unfortunately, we may still see piggyback attacks where cybercriminals launch social engineering attacks to cash in on the customer anxiety that follows the news cycle surrounding reports of any big-name breach," said Tod Beardsley, an engineering manager at vulnerability management vendor Rapid7. "You simply can't trust that an incoming call or email is legitimate and not a phishing attempt.”
PUBLISHED OCT. 3, 2014