News: JPMorgan: 76 million customers hacked
More than half of all households in the United States were affected by a data breach that occurred earlier this summer, JPMorgan Chase revealed on Thursday. JPMorgan said Thursday that cybercriminals gathered information on more than 80 million account holders as part of a massive bank hack this summer.
The revelation was included in a regulatory filing, and informs that back in August that hackers had infiltrated seven of the country’s largest banks, using sophisticated malware to burrow into their computer systems and manipulate records.
At JPMorgan (JPM), the hackers got contact information for 76 million households and 7 million small businesses, including names, addresses, phone numbers and email addresses, as well as “internal JPMorgan Chase information relating to such users.”
The bank said that “customers [whose accounts had been hacked] are not liable for unauthorized transactions on their account that they promptly alert the firm to”.
JP Morgan says it is unlikely customers will need to take any action, such as changing their passwords or account information.
Its company spokeswoman, Patricia Wexler, said that the bank is not offering credit monitoring to customers either because it does not believe any financial information, account data or personally identifiable information was taken.
The bank also said that the hackers didn’t get any account information — account numbers, user IDs, dates of birth or Social Security numbers — and that it hasn’t seen “any unusual customer fraud related to this incident.”
“The Firm continues to vigilantly monitor the situation and is continuing to investigate the matter,” JPMorgan said in a securities filing, adding that it is cooperating with law enforcement.
Although it appears that the hackers haven’t been able to access bank accounts, they could still cash in by selling email addresses and other personal information to spammers.
The source of this summer’s attack still isn’t clear. Some analysts have pointed to hackers Russia, though the evidence is only circumstantial.
When and How it Happened
The attack itself reportedly occurred in multiple stages between June and August, according to The Wall Street Journal. Hackers specifically set their sights on servers containing user contact information, and were able to work their way deep into JPMorgan’s network through a personal computer belonging to an employee.
While the bank has since changed all of its passwords and shut down accounts that were potentially breached, the Times reported that hackers “made off with a list of the applications and programs that run on every standard JPMorgan computer,” which they can use to “cross check with known vulnerabilities in each program and web application, in search of an entry point back into the bank’s systems.”
Multiple unnamed sources with knowledge of the bank’s ongoing investigation added to the outlet that the process of changing all this software will take months. In that case, there is a fear that hackers could potentially find a way to re-enter JPMorgan’s network before the work is done.
Hackers from Russia and eastern Europe are often top FBI suspects in cyberattacks. The timing of the hack raised suspicions given the mounting tensions between Russia and the West over Ukraine and economic sanctions. The incident is currently being investigated by the FBI, though detectives told The NYT that the case is baffling due to the fact that the hackers did not steal any money from the accounts they compromised.
Who Is Affected
The people affected are mostly account holders, but may also include former account holders and others who entered their contact information at the bank’s online and mobile sites, according to a bank spokeswoman.
Security experts outside of the bank warned that the breach could result in an increase in crime as scammers will likely attempt to use the stolen information to engage in various types of fraud.
The bank’s customers should be on heightened alert for fraud, said Mark Rasch, a former federal cyber crimes prosecutor.
“All of this data is useful to hackers and identity thieves,” he said. “The kind of information that was stolen is not sensitive itself, but is frequently used to validate people’s identities.”
Tal Klein, vice president with the cybersecurity firm Adallom, said that the breach could undermine confidence in the security of banks and other companies that people assume are well protected from hackers.
“Criminals could literally take on the identities of these 83 million businesses and people. That’s the biggest concern,” he said.
“Until now the assumption has been that the companies that get breached are the ones that have poor security practices, but we know that JPMorgan had a good security program and that they invest heavily in this area,” he said. “So what we are waking up to is that the fundamental nature of security is broken.”
In a letter to shareholders earlier this year, JPMorgan said it planned to deploy over 1,000 people and budget $250 million annually to focus on cyber security.
Other major US firms, including Home Depot and Target have been the subject of similar widescale attacks.
The Home Depot breach affected 56 million customer payment cards, while Target saw credit card data for 40 million customers stolen, as well as personal and identification information for 70 million other customers.