Customers and industry players have been left to wonder about the full extent of the damage caused by the JPMorgan Chase data breach reported in August. That damage was finally revealed yesterday in an SEC filing.
JPMorgan said that 76 million households and 7 million small businesses had been compromised in the attack. The hackers stole personal information like names, phone numbers, and email addresses, but no account numbers, Social Security numbers, or passwords were stolen. The bank also said there has been no unusual fraud activity in the compromised accounts so far.
[For more on our coverage of the JPMorgan breach, check out: What Banks Need To Do After the JPMorgan Breach.]
There are still a lot of unanswered questions regarding the breach. How the attackers gained access to the bank's systems and customer accounts remains unclear. The New York Times, citing anonymous sources, reported that the hackers had a list of the applications and programs running on the bank's computers. More than 90 servers were compromised, and the hackers gained important administrative privileges in the bank's systems.
Security experts say that more information is needed to learn how the hackers were able to execute their attack. "Yet another breach of a huge amount of personal information but little detail of how the attack occurred is disclosed," said Gavin Millard, EMEA technical director for Tenable. "Was it a phishing attack directed towards a JP Morgan employee, a zero-day vulnerability utilized, or simply a poorly configured edge device giving access? Organizations would benefit from more information sharing between investigators and interested affected parties."
The motives are also still unknown; the attackers haven't committed any fraudulent transactions with the compromised accounts.
JPMorgan "discovered the intrusion in mid-August and now believe the breach began as early as June," said Carmine Clementelli, network security product manager for PFU Systems. "The intrusion was already on the bank's servers. How did that happen? More importantly moving forward is why?"
John Zurawski, vice president for Authentify, said this breach also differs from the attacks on Target and Home Depot in the past year in that it affects millions of small businesses in addition to consumers. Small businesses rarely have better cyber security protection than the average consumer, but they usually have much more money at stake. "Small businesses should immediately change their passwords, and Chase will have to authenticate those requests very carefully." Clients should also sign up for any multi-factor authentication available from the bank.
Jonathan Camhi has been an associate editor with Bank Systems & Technology since 2012. He previously worked as a freelance journalist in New York City covering politics, health and immigration, and has a master's degree from the City University of New York's Graduate School ... View Full Bio