Client Affairs

JP Morgan Says Around 76 Million Households, 7 Million Small Firms Hit By Hacking Attack

Tom Burroughes Group Editor London 3 October 2014

JP Morgan Says Around 76 Million Households, 7 Million Small Firms Hit By Hacking Attack

The hacking attack on JP Morgan could see data on more 76 million households and 7 million small firms come into their grasp, highlighting the threat of cybercriminals to the wealth management sector.

The hacking attack on JP Morgan could see data on more 76 million households and 7 million small firms come into their grasp, highlighting the threat of cybercriminals to the wealth management sector.

In a regulatory filing to the US Securities and Exchange Commission, the US-listed banking group said that “user contact information – name, address, phone number and email address – and internal JP Morgan Chase information relating to such users have been compromised”. It said the “compromised data impacts approximately 76 million households and 7 million small businesses”. It added that there is “no evidence that account information for such affected customers” was compromised by the attack.

The bank declined to comment when contacted by this publication.

The bank added in its SEC filing that it is fully cooperating with government agencies in connection with their investigations.

The scale of cybercrime, as highlighted by the JP Morgan case, is an increasing cause for alarm, particularly in sectors such as private banking and wealth management where criminals may target firms' clients. For more on this issue, see here. Fighting such criminals is likely to be a focus of increased IT spending and resources in coming years.

According to Bloomberg, new details on how attackers accomplished the feat over months, including their initial entry, were provided to the news service.  JP Morgan said the threat now is “phishing”, in which criminals try to trick people into handing over details.

The US Federal Bureau of Investigation is working with the Secret Service to determine the scope of cyber attacks against several US financial institutions including JP Morgan, the organisation has confirmed to this publication.

A report in early September said the attacks may have been aided and abetted by the Russian state, with whom the US and European Union are at odds over Russia’s annexation of Ukraine and support for pro-Russian separatists fighting in eastern Ukraine. The government of Russia president Vladimir Putin has dismissed the claims.

Reaction
"Yet another breach of a huge amount of personal information but little detail of how the attack occurred is disclosed. Was it a phishing attack directed towards a JP Morgan employee, a zero day vulnerability utilised or simply a poorly configured edge device giving access? Organizations would benefit from more information sharing between investigators and interested affected parties, but today’s business environment does not support that as common practice. We need to take a closer look at why it’s problematic to share and what’s being done to improve information sharing. This would benefit every other business defending against attack," Gavin Millard, EMEA technical director for Tenable, the network security firm,  said in a statement.

Alert Logic's chief security "evangelist", Stephen Coty, said: "Looking at the data that was exposed it sounds like they gained access to a server that was used for marketing purposes. Perhaps for physical/cyber mailing of advertisements and notifications. There was mention that the data was organised by category of customer (Banking, Credit, Mortgage) with only name, address, telephone numbers and email addresses. This sounds like the credit card and banking information was secured and untouched by hackers. This type of data is stolen and sold on the underground for use of spam campaigned and url redirects to malicious sites."

"There should be a notification to affected users to be on the lookout for spam campaigns or emails from the bank with a url that you might not recognise.You check these urls by moving your mouse over the url, but not clicking, and look at the bottom left of your browser to make sure that the url in the email and the destination are the same. For example you move you mouse over a url like www.chase.com and then you look at the bottom left and it says www.chaseurl.com. You will not want to click on it," he added. 

Register for WealthBriefing today

Gain access to regular and exclusive research on the global wealth management sector along with the opportunity to attend industry events such as exclusive invites to Breakfast Briefings and Summits in the major wealth management centres and industry leading awards programmes