Client Affairs
JP Morgan Says Around 76 Million Households, 7 Million Small Firms Hit By Hacking Attack
The hacking attack on JP Morgan could see data on more 76 million households and 7 million small firms come into their grasp, highlighting the threat of cybercriminals to the wealth management sector.
The hacking attack on JP Morgan could see data
on more 76 million households and 7 million small firms come into
their grasp, highlighting the threat of cybercriminals to the
wealth management sector.
In a regulatory filing to the US Securities and Exchange
Commission, the US-listed banking group said that “user contact
information – name, address, phone number and email address – and
internal JP Morgan Chase information relating to such users have
been compromised”. It said the “compromised data impacts
approximately 76 million households and 7 million small
businesses”. It added that there is “no evidence that account
information for such affected customers” was compromised by the
attack.
The bank declined to comment when contacted by this publication.
The bank added in its SEC filing that it is fully cooperating with government agencies in connection with their investigations.
The scale of cybercrime, as highlighted by the JP Morgan case, is an increasing cause for alarm, particularly in sectors such as private banking and wealth management where criminals may target firms' clients. For more on this issue, see here. Fighting such criminals is likely to be a focus of increased IT spending and resources in coming years.
According to Bloomberg, new details on how attackers
accomplished the feat over months, including their initial entry,
were provided to the news service. JP Morgan said the
threat now is “phishing”, in which criminals try to trick people
into handing over details.
The US Federal Bureau of Investigation is working with the Secret
Service to determine the scope of cyber attacks against several
US financial institutions including JP Morgan, the organisation
has confirmed to this publication.
A report in early September said the attacks may have been aided
and abetted by the Russian state, with whom the US and European
Union are at odds over Russia’s annexation of Ukraine and support
for pro-Russian separatists fighting in eastern Ukraine. The
government of Russia president Vladimir Putin has dismissed the
claims.
Reaction
"Yet another breach of a huge amount of personal information but
little detail of how the attack occurred is disclosed. Was it a
phishing attack directed towards a JP Morgan employee, a zero day
vulnerability utilised or simply a poorly configured edge device
giving access? Organizations would benefit from more information
sharing between investigators and interested affected parties,
but today’s business environment does not support that as common
practice. We need to take a closer look at why it’s problematic
to share and what’s being done to improve information sharing.
This would benefit every other business defending against
attack," Gavin Millard, EMEA technical director for Tenable, the
network security firm, said in a statement.
Alert Logic's chief security "evangelist", Stephen Coty, said:
"Looking at the data that was exposed it sounds like they gained
access to a server that was used for marketing purposes. Perhaps
for physical/cyber mailing of advertisements and notifications.
There was mention that the data was organised by category of
customer (Banking, Credit, Mortgage) with only name, address,
telephone numbers and email addresses. This sounds like the
credit card and banking information was secured and untouched by
hackers. This type of data is stolen and sold on the underground
for use of spam campaigned and url redirects to malicious
sites."
"There should be a notification to affected users to be on the
lookout for spam campaigns or emails from the bank with a url
that you might not recognise.You check these urls by moving your
mouse over the url, but not clicking, and look at the bottom left
of your browser to make sure that the url in the email and the
destination are the same. For example you move you mouse over a
url like www.chase.com and then you look at the bottom left and
it says www.chaseurl.com. You will not want to click on it," he
added.