Slashdot Mirror

← Back to Stories (view on slashdot.org)

JP Morgan Chase Breach Compromised Data of 76 Million Households

Posted by Soulskill on from the go-big-or-go-home dept.

JakartaDean writes with news that the cyberattack on J.P. Morgan Chase this summer resulted in stolen information on 76 million households and 7 million businesses. The compromised data included names, email addresses, phone numbers, and addresses. The bank said the attackers were unable to gather account numbers, social security numbers, or passwords. The hackers appeared to have obtained a list of the applications and programs that run on JPMorgan's computers — a road map of sorts — which they could crosscheck with known vulnerabilities in each program and web application, in search of an entry point back into the bank's systems, according to several people with knowledge of the results of the bank's forensics investigation, all of whom spoke on the condition of anonymity. ... Even if no customer financial information was taken, the apparent breadth and depth of the JPMorgan attack shows how vulnerable Wall Street institutions are to cybercrime.

7 of 76 comments (clear)

  1. Re:To Big To Fail by i+kan+reed · · Score: 4, Insightful

    There's definitely more than a little of that here, but in the internet era, the most important principle I've noticed is Too Big To Pass Up. If you're a hacker, a score of personal information numbering in the millions is essentially worth years and years and years of effort, huge investments of money, and risking obscene levels of punishment.

    The payout is too big not to. So big corporations make really really appealing targets. You're right that making big corporations more accountable for how they protect data would help a lot, but even if they were spending small fortunes on software security, things like heartbleed would still happen, where they're exposed and can do nothing about it.

    And I don't see a solution. More smaller companies might work. Maybe.

  2. Security through obscurity - useful but inadequate by c0d3g33k · · Score: 4, Insightful

    The hackers appeared to have obtained a list of the applications and programs that run on JPMorgan's computers — a road map of sorts — which they could crosscheck with known vulnerabilities in each program and web application

    I find this interesting because it shows both the usefullness but ultimate inadequacy of security through obscurity. Had the hackers been unable to obtain this information, the implication is that the breach would not have happened, or at least not happened as soon. Without the ability to create a road map, they would have had to take the less efficient approach of randomly guessing and probing with the hope that something worked. So keeping that list of applications and programs a secret has some value.

    On the other hand, it underscores the importance of the point that people have been making about security through obscurity for decades: it's very weak security, and once that layer of the security onion is breached, there had better be stronger security layers underneath. Like patched and updated programs and web applications that close known vulnerabilities. I'm guessing that didn't happen, because the JP Morgan Chase management has probably acted like many other management teams I've had the "pleasure" of working with - they placed higher value on the secrecy than actually fixing stuff, because the former costs less, and it kind of works until it doesn't (and then that policy fails in a big way).

    I sincerely hope that these breaches light a fire under the asses of lax management at these large companies and they realize that spending the time and resources to *really* secure their systems is worth it in the long run.

    And then I laugh sadly, because that's wishful thinking.

  3. Re:"stolen?" by Anonymous Coward · · Score: 5, Insightful

    Shhhh! You'll point out the groupthink's duplicity.

    It's fine when it's about getting free shit even if that harms someone else's livelihood. Information wants to be free! But when it's YOUR info that's copied, even if you still have that info, well, that's very different, you see.

    Prepare to be modded down for saying things people don't want to hear.

  4. When I was a kid... by Anonymous Coward · · Score: 5, Insightful

    ...they used to print all of that information up in a four-inch-thick book and leave it on your doorstep every six months or so. (Minus the email addresses, of course.)

  5. Sensitive information by CimmerianX · · Score: 4, Insightful

    Chase is really spinning this by saying that no sensitive information was taken in the hack.

    Well, it seems that the crackers now have tens of millions of *confirmed* Names, addresses, phone numbers, and emails at the very least. That is a freakin treasure trove of information.

    I like my privacy and take great care not to let information out into the world. But Doctors, banks, and gov always want every bit of info on you so they make the best targets.

  6. Re:To Big To Fail by Anonymous Coward · · Score: 2, Insightful

    "and risking obscene levels of punishment."

    Hardly. The hackers mainly come from Russia or China. How is JP Morgan Chase supposed to punish them, even if they know exactly who they are? There's no risk at all for the hackers, which is why it keeps happening.

  7. Re:Numbers don't seem right by CJL98 · · Score: 3, Insightful

    There are only 115 million households in the US. JP Morgan lost info on 76 million. I find it hard to believe that 2/3 of the households in the US are JPMorgan/Chase customers.

    I wonder if the info stolen was actually some sort of master marketing file, perhaps from one or all three of the credit bureaus.

    I don't.. Between credit cards, mortgages, car loans, etc I can believe it. I currently have a car loan with them and within the last 5 years had a credit card.