Media Moves

Coverage: Data breach is bigger than expected

October 3, 2014

Posted by Liz Hester

JPMorgan Chase has bigger problems than it thought. The data breach first disclosed in August affects 76 million households. Now it has to fix the problem.

The Wall Street Journal story by Emily Glazer and Danny Yadron had these details:

J.P. Morgan Chase & Co. said about 76 million households were affected by a cybersecurity attack on the bank this summer in one of the most sweeping disclosed breaches of a financial institution.

The largest U.S. bank by assets said the unknown attackers stole customers’ contact information—including names, email addresses, phone numbers and addresses. The breach, which was first disclosed in August and is still under investigation by the bank and law enforcement, extended to the bulk of the bank’s customer base, affecting an amount equivalent to two-thirds of American households. It also affected about seven million of J.P. Morgan’s small-business customers. It isn’t clear how many of those households are U.S.-based.

The bank said hackers were unable to gather detailed information on accounts, such as account numbers, passwords, Social Security numbers or dates of birth. Customer money is “safe,” the bank said in a statement to customers on Thursday.

J.P. Morgan reiterated that it hadn’t seen unusual levels of fraud since the attack. It added that customers wouldn’t be liable for any unauthorized transactions on the account if the bank is notified, and that customers don’t need to change their passwords or account information.

With its wide scope of potential victims the latest incident is likely to renew concerns that hackers easily could wreak havoc with the nation’s financial infrastructure. In 2011, the Journal reported that a hacking group possibly tied to Russia breached the computers of Nasdaq OMX, though there was no evidence anything was taken and trading systems weren’t compromised.

Bloomberg’s Hugh Son reported that the data affected anyone who used the company’s websites and mobile app:

The breach affected anyone who visited the company’s websites, including Chase.com, or used its mobile app, said the person, who requested anonymity because that information wasn’t publicly disclosed. Some of those affected by the incursion are former clients of JPMorgan, which currently has 65 million customers and reaches half of all U.S. households, the person said.

The bank, led by Chief Executive Officer Jamie Dimon, hasn’t detected “any unusual customer fraud” related to the attack, and clients aren’t liable for unauthorized transactions that are promptly reported to the company, according to the filing.

“There is no evidence that account information for such affected customers -– account numbers, passwords, user IDs, dates of birth or Social Security numbers –- was compromised during this attack,” the company said.

Jessica Silver-Greenberg, Matthew Goldstein and Nicole Perlroth wrote for The New York Times that recently the company thought everything was under control:

Until just a few weeks ago, executives at JPMorgan said they believed that only one million accounts were affected, according to several people with knowledge of the attacks.

As the severity of the intrusion — which began in June but was not discovered until July — became more clear in recent days, bank executives scrambled for the second time in three months to contain the fallout and to reassure skittish customers that no money had been taken and that their financial information remained secure.

The hackers appeared to have obtained a list of the applications and programs that run on JPMorgan’s computers — a road map of sorts — which they could crosscheck with known vulnerabilities in each program and web application, in search of an entry point back into the bank’s systems, according to several people with knowledge of the results of the bank’s forensics investigation, all of whom spoke on the condition of anonymity.

Still, until the JPMorgan breach surfaced in July, banks were viewed as relatively safe from online assaults because of their investment in defenses and trained security staff. Most previous breaches at banks have involved stealing personal identification numbers for A.T.M. accounts, not burrowing deep into the internal workings of a bank’s computer systems.

The Reuters story by Tanya Agrawal, David Henry and Jim Finkle said that the breach could cause consumers to mistrust banks:

Tal Klein, vice president with the cybersecurity firm Adallom, said that the breach could undermine confidence in the security of banks and other companies that people assume are well protected from hackers.

“Criminals could literally take on the identities of these 83 million businesses and people. That’s the biggest concern,” he said.

“Until now the assumption has been that the companies that get breached are the ones that have poor security practices, but we know that JPMorgan had a good security program and that they invest heavily in this area,” he said. “So what we are waking up to is that the fundamental nature of security is broken.”

Still, JPMorgan advised customers on its website that it does not believe they need to change their passwords or account information.

Company spokeswoman Patricia Wexler said that the bank is not offering credit monitoring to its customers because no financial information, account data or personally identifiable information was compromised.

With all the loss of customer information recently, Target, Home Depot and now JPMorgan, it’s unlikely that anyone’s data is safe. Technology changes so quickly, it’s hard to stay ahead of the hackers, particularly when you have millions of pieces of information to safeguard. The companies that figure it out first will likely win the trust and business of customers.

Subscribe to TBN

Receive updates about new stories in the industry daily or weekly.

Subscribe to TBN

Receive updates about new stories in the industry.