JP Morgan Chase has admitted that a breach that it suffered in August may affect up to 76 million households and seven million small businesses.
The breach saw user contact information, such as names, addresses, phone numbers and email addresses, as well as internal JPMorgan Chase information relating to such users, compromised.
In a securities filing issued yesterday, the firm said that there is no evidence that bank account information for such affected customers was compromised during this attack, and it said it has seen no unusual customer fraud related to this incident.
“The firm continues to vigilantly monitor the situation and is continuing to investigate the matter,” it said. “In addition, the firm is fully cooperating with Government agencies in connection with their investigations.”
Eduard Meelhuysen, VP EMEA at Netskope, suspected that the attackers used a virtual private network (VPN) connection to get into the organisation. Alert Logic’s chief security evangelist, Stephen Coty, said that the data suggested that the attacker gained access to a server that was used for marketing purposes.
“There was mention that the data was organised by category of customer (Banking, Credit, Mortgage) with only name, address, telephone numbers and email addresses. This sounds like the credit card and banking information was secured and untouched by hackers. This type of data is stolen and sold on the underground for use of spam campaigned and url redirects to malicious sites,” he said.
Tim Erlin, director of IT security and risk strategy at Tripwire, said: “It remains unclear whether this is a second, separate incident, or simply further discovery of how far the first compromise reaches. The initial identified scope of a breach is hardly ever the full picture.
“While there’s little doubt that JP Morgan has taken action since the original incident was reported, the size and complexity of their network means they are unlikely to have rolled out new protections comprehensively by now. In situations like this, time is always the enemy.”
Ken Westin, security analyst at Tripwire, said: “This second compromise shows that even companies that invest heavily in security tools and people there can still be compromised if the attacker is persistent and well-resourced. Other financial services firms beware.”
John Zurawski, vice president for Authentify, said that while none of the news is good, the affected seven million small businesses must take immediate action. “Many small businesses are often no better protected, from an IT perspective, than the average home computer,” he said.
“On the other hand, there could be considerably more money involved including payroll accounts. Adding employees to a payroll account and paying them usually doesn’t trigger an alarm. In addition, small businesses often have a varying number of suppliers. It’s hard to create a profile of legitimate payees for electronic payment accounts to trigger risk alarms. The businesses affected should consent to any additional authentication factors the bank may offer.”