The online security breach of JPMorgan Chase has raised puzzling questions about what the overseas hackers were after – and has pointed up just how steep the challenges are to keep information safe online.
In the JPMorgan Chase incident, which is one of the largest online security breaches in history, the hackers were able to access the contact information of 76 million households and 7 million small businesses having accounts with the banking behemoth, the company disclosed Thursday.
The massive incursion, however, has confounded investigators and other cybersecurity experts since only names, mailing addresses, e-mail addresses, and phone numbers appear to have been taken. And so far, there is no evidence that the hack was used to steal funds or gather sensitive account information.
In a filing with the US Securities and Exchange Commission on Thursday, JPMorgan Chase, the largest US bank with nearly $2.5 trillion in assets at the end of 2013, said there was “no evidence” that the hackers accessed account numbers, passwords, user IDs, dates of birth, or Social Security numbers.
But company officials were aware of the breach since July, when they said only 1 million customer accounts were compromised. Thursday’s revelation that the number was actually 83 million shocked cybersecurity experts around the nation.
“I think ‘crazy’ is just the way to describe it – I mean, it’s almost inexplicable,” says Fred Cate, former director of the Center for Applied Cybersecurity Research at Indiana University in Bloomington. “Somebody used a sophisticated technique, we’re told, to break into this major international bank, and all they took were names and addresses?”
Adding to worries is the fact that the hackers, which investigators suspect may have come from Russia or Eastern Europe, according to reports, were able to access more than 90 JPMorgan Chase servers for nearly two months before they were detected, and they had obtained the highest level of administrative privileges, say people with knowledge of the investigation.
“It’s entirely possible the bad guys weren’t even after the information, they were after something else,” Brian Krebs, a cybersecurity investigator, told the Boston Herald. “If they have a month inside your network and they have time to cover their tracks, it could be difficult to find out what they touched.”
The hack at JPMorgan Chase comes after a series of troubling data breaches at some of the nation’s largest retail chains. Last year, hackers were able to access the information of 40 million credit-card and other card holders at Target, as well as 56 million this year at Home Depot.
Other companies, including the sandwich chain Jimmy John’s, the supermarket chain SuperValu, and a number of health-care providers have also reported data breaches this year.
“More than anything, it just raises this control question,” says Mr. Cate, who is also a professor at Indiana University’s Maurer School of Law. “Are our data in control anywhere? It’s not that we’re not winning the war – we don’t even know how bad the casualties are right now.”
“JPMorgan Chase, both for legal reasons and for competition reasons, I think we can assume had pretty good security,” he continues. “And we think of banks as having better security than retailers, for example. Yet when you see a bank breached at this level, with this number of [customers] and at this duration, it really does suggest that we’re not on top of this.”
The battle against hackers, say cybersecurity experts, is a 24/7, 365-day-a-year arms race as new and sophisticated methods of infiltrating networks are constantly evolving. Some “phishing” attacks have been known for decades, but newer, much more advanced “malware” can sneak into networks undetected.
And the United States lacks a centralized, mandatory database of malware “signatures” – the telltale signs of a malicious hack that allow security experts to set up firewalls against them nationwide, experts say.
“Knowing about this breach would certainly make every other bank in the country go back and look for the very same signatures of this type of breach,” says Cate. “And you’d like to think this kind of information would be provided, at least to regulators, as quickly as possible – in hours or days, not months.”