JPMorgan Chase breach confirmed, 83 million customers affected

A filing made by JPMorgan Chase with the US Securities and Exchange Commission on Thursday has finally confirmed that the biggest bank in the US has suffered a data breach.

Unnamed sources shared news about the breach in late August, and FBI and the Secret Service began an official investigation.

The filing reveals that data of approximately 76 million households and 7 million small businesses that have accounts with the bank has been compromised by the attackers. This includes user contact information (name, address, phone number and email address) and internal JPMorgan Chase information relating to the users, but apparently not account numbers, passwords, user IDs, dates of birth or Social Security numbers.

The company says that they have yet to spot any unusual customer fraud related to this incident, and that its customers won’t be held liable for unauthorized transactions on their account if they promptly alert the company about them.

Patricia Wexler, the company’s spokeswoman, said that credit monitoring will not be offered to customers because no financial information, account data or personally identifiable information was compromised.

According to the NYT, the breach began in June and was discovered in July, and was effected by exploiting vulnerabilities in software running on JPMorgan’s computers. The attackers managed to compromise over 90 servers, and it seems that they really did not go after the money held in the customers’ accounts.

“The people with knowledge of the investigation said it would take months for the bank to swap out its programs and applications and renegotiate licensing deals with its technology suppliers, possibly giving the hackers time to mine the bank’s systems for unpatched, or undiscovered, vulnerabilities that would allow them re-entry into JPMorgan’s systems,” the NYT noted.

“The apparent stealthiness of the breach at JPMC is notable – theft of information, without any known theft of money,” commented Dr. Mike Lloyd, CTO of RedSeal Networks.

“It’s a reminder that criminals value information highly – much the same way that military commanders value battlefield intelligence, however obtained. It’s easier to spear-fish if you know where the target fish like to hang out, of course. It’s also worth noting that JPMorgan representatives commented that they immediately closed access paths. Ideally, vulnerable access paths would be closed off in advance, when not needed, but this is challenging in a large and fast-moving organization. Automated discovery of the “war room map’ is a great help, both in preventing such incidents, and in recovering quickly after them.”

“The fact that JPMorgan Chase could be breached should send a shiver of fear through every organization on the planet. They are well aware of both the defenses necessary and the importance of protecting against concerted, automated attacks,” Steve Hultquist, chief evangelist at RedSeal Networks, added.

“However, this breach demonstrates that even the best reactive technology and processes aren’t enough. Organizations need to deploy automated analysis of their entire end-to-end network access paths, using technology to find misconfigurations, unexpected consequences of configuration interactions, and other unanticipated results of the complexity of modern networked infrastructures.”

“Without actual account credential information, the cyber criminals would not be able to use victims’ credit cards or gain access to their bank accounts. However, if this information is coupled with already stolen credentials, it could be used to verify the criminal as the intended user of the credentials,” says Adam Kujawa, head of Malware Intelligence at Malwarebytes Labs.

“In addition, probably the biggest issue victims will come in contact with is the likely flood of spam and phishing attacks. Using personal information like name, phone number, address, e-mail and the fact that these victims had accounts with JPMC means that attackers could send personalized phishing attacks to these users, pretending to be Chase and asking for login credentials. In addition, often times personal information like this is sold on the black market to advertisers and spam peddlers, so if anything, the cyber criminals who obtained this information will be selling it for that.”