JP Morgan Chase: Contacts for 76 Million Households and 7 Million Small Businesses Compromised

Banking giant JP Morgan Chase filed an official notice yesterday to the U.S. Securities and Exchange Commission (SEC) updating the material information concerning the cyberattack the bank uncovered during the summer. According to the bank’s Form 8-K, for customers using its Chase.com and JPMorganOnline websites as well as the Chase and J.P. Morgan mobile applications:

• User contact information—name, address, phone number and email address—and internal JPMorgan Chase information relating to such users have been compromised.
   
• The compromised data impacts approximately 76 million households and 7 million small businesses.
   
• However, there is no evidence that account information for such affected customers—account numbers, passwords, user IDs, dates of birth or Social Security numbers—was compromised during this attack.

To give you some perspective on the size of the breach, there are approximately 112 million households in the United States, along with 29.7 million small businesses.

The bank also reported in its SEC filing that it hasn’t seen any unusual customer fraud related to the data breach and that customers will not be not liable for any unauthorized transaction on their accounts, provided that they promptly alert the bank to the bogus transaction.

JP Morgan goes on to say in a customer notice that it is “very sorry that this happened and for any uncertainty this may cause you.” Additionally, it  says that, “There are always lessons to be learned, and we will learn from this one and use that knowledge to make our defenses even stronger. “

In the bank's 2013 annual report, JP Morgan CEO Jamie Dimon stated  that the firm was going to be spending $250 million annually on cybersecurity and employ some 1,000 people to help ensure security at the bank.

Cybersecurity experts all seem to agree that the breach of JP Morgan, considered one of— if not the— most sophisticated and best cyber- protected banks in the world, is highly worrying. Less clear is whether the reason customer personal data wasn’t taken was accidental or on purpose. (The Wall Street Journal reports that the bank’s marketing systems rather than operational banking systems were penetrated)

A story at the New York Times, for instance, says that the cybercriminals had deep and pervasive access to JP Morgan IT systems for months, even obtaining “the highest level of administrative privilege” to 90 of the bank’s computer servers.  However, the Times states, “investigators in law enforcement remain puzzled” since there is no evidence that money has been taken from customer accounts, nor has there been any launch of a major phishing campaign using the stolen contact information. Phishing a JP Morgan employee seems to be the way the cybercriminals got access to JP Morgan systems, by the way.

Speculation runs the gamut, including that the attack was sponsored by elements of the Russian government as a warning about Western government interference in the Ukrainian Conflict and that it could be a search for confidential information on high value targets, such as President Obama, who is said to be a JP Morgan customer. Other security experts speculate that this attack may have been just an initial foray into the bank’s IT system to understand how it works. If so, they likely will be back, in which case, expect more than contact information to be compromised.

Whatever the real reason, the bottom line is that as the recent compromise of 56 million U.S. and Canadian payment cards at Home Depot exemplifies, cyber-insecurity is pervasive. Security maven Brian Krebs probably said it best when he told the Guardian, “Reality is dawning among regular corporations that you can’t keep these guys out. The most you can do is stop the bleeding.”