Banking giant JP Morgan Chase filed an official notice yesterday to the U.S. Securities and Exchange Commission (SEC) updating the material information concerning the cyberattack the bank uncovered during the summer. According to the bank’s Form 8-K, for customers using its Chase.com and JPMorganOnline websites as well as the Chase and J.P. Morgan mobile applications:
- User contact information—name, address, phone number and email address—and internal JPMorgan Chase information relating to such users have been compromised.
- The compromised data impacts approximately 76 million households and 7 million small businesses.
- However, there is no evidence that account information for such affected customers—account numbers, passwords, user IDs, dates of birth or Social Security numbers—was compromised during this attack.
To give you some perspective on the size of the breach, there are approximately 112 million households in the United States, along with 29.7 million small businesses.
The bank also reported in its SEC filing that it hasn’t seen any unusual customer fraud related to the data breach and that customers will not be not liable for any unauthorized transaction on their accounts, provided that they promptly alert the bank to the bogus transaction.
JP Morgan goes on to say in a customer notice that it is “very sorry that this happened and for any uncertainty this may cause you.” Additionally, it says that, “There are always lessons to be learned, and we will learn from this one and use that knowledge to make our defenses even stronger. “
In the bank's 2013 annual report, JP Morgan CEO Jamie Dimon stated that the firm was going to be spending $250 million annually on cybersecurity and employ some 1,000 people to help ensure security at the bank.
Cybersecurity experts all seem to agree that the breach of JP Morgan, considered one of— if not the— most sophisticated and best cyber- protected banks in the world, is highly worrying. Less clear is whether the reason customer personal data wasn’t taken was accidental or on purpose. (The Wall Street Journal reports that the bank’s marketing systems rather than operational banking systems were penetrated)
A story at the New York Times, for instance, says that the cybercriminals had deep and pervasive access to JP Morgan IT systems for months, even obtaining “the highest level of administrative privilege” to 90 of the bank’s computer servers. However, the Times states, “investigators in law enforcement remain puzzled” since there is no evidence that money has been taken from customer accounts, nor has there been any launch of a major phishing campaign using the stolen contact information. Phishing a JP Morgan employee seems to be the way the cybercriminals got access to JP Morgan systems, by the way.
Speculation runs the gamut, including that the attack was sponsored by elements of the Russian government as a warning about Western government interference in the Ukrainian Conflict and that it could be a search for confidential information on high value targets, such as President Obama, who is said to be a JP Morgan customer. Other security experts speculate that this attack may have been just an initial foray into the bank’s IT system to understand how it works. If so, they likely will be back, in which case, expect more than contact information to be compromised.
Whatever the real reason, the bottom line is that as the recent compromise of 56 million U.S. and Canadian payment cards at Home Depot exemplifies, cyber-insecurity is pervasive. Security maven Brian Krebs probably said it best when he told the Guardian, “Reality is dawning among regular corporations that you can’t keep these guys out. The most you can do is stop the bleeding.”
Robert N. Charette is a Contributing Editor to IEEE Spectrum and an acknowledged international authority on information technology and systems risk management. A self-described “risk ecologist,” he is interested in the intersections of business, political, technological, and societal risks. Charette is an award-winning author of multiple books and numerous articles on the subjects of risk management, project and program management, innovation, and entrepreneurship. A Life Senior Member of the IEEE, Charette was a recipient of the IEEE Computer Society’s Golden Core Award in 2008.