Slashdot Mirror

← Back to Stories (view on slashdot.org)

JP Morgan Chase Breach Compromised Data of 76 Million Households

Posted by Soulskill on from the go-big-or-go-home dept.

JakartaDean writes with news that the cyberattack on J.P. Morgan Chase this summer resulted in stolen information on 76 million households and 7 million businesses. The compromised data included names, email addresses, phone numbers, and addresses. The bank said the attackers were unable to gather account numbers, social security numbers, or passwords. The hackers appeared to have obtained a list of the applications and programs that run on JPMorgan's computers — a road map of sorts — which they could crosscheck with known vulnerabilities in each program and web application, in search of an entry point back into the bank's systems, according to several people with knowledge of the results of the bank's forensics investigation, all of whom spoke on the condition of anonymity. ... Even if no customer financial information was taken, the apparent breadth and depth of the JPMorgan attack shows how vulnerable Wall Street institutions are to cybercrime.

19 of 76 comments (clear)

  1. To Big To Fail by BringsApples · · Score: 4, Informative

    To Big To Be Accountable

    --
    Politics; n. : A religion whereby man is god.
    1. Re:To Big To Fail by i+kan+reed · · Score: 4, Insightful

      There's definitely more than a little of that here, but in the internet era, the most important principle I've noticed is Too Big To Pass Up. If you're a hacker, a score of personal information numbering in the millions is essentially worth years and years and years of effort, huge investments of money, and risking obscene levels of punishment.

      The payout is too big not to. So big corporations make really really appealing targets. You're right that making big corporations more accountable for how they protect data would help a lot, but even if they were spending small fortunes on software security, things like heartbleed would still happen, where they're exposed and can do nothing about it.

      And I don't see a solution. More smaller companies might work. Maybe.

    2. Re:To Big To Fail by Anonymous Coward · · Score: 2, Insightful

      "and risking obscene levels of punishment."

      Hardly. The hackers mainly come from Russia or China. How is JP Morgan Chase supposed to punish them, even if they know exactly who they are? There's no risk at all for the hackers, which is why it keeps happening.

    3. Re:To Big To Fail by mlts · · Score: 3, Interesting

      This is "all eggs in one basket" syndrome, and it is only going to get worse as more people move to the cloud, LEOs of various countries (the example of countries demanding access to Blackberry's BIS servers comes to mind) getting their backdoors (and thus a database of keys to them), and more data in general is stashed in one place.

      To boot, there is no real financial gain by companies in general to actually bother with more than token security. They lose nothing by a major compromise, as they will have zero consequences if someone's personal info or medical records get compromised. Same with cloud data. There are no laws securing it. Even in the financial sector, Visa will just do a light hand slap if PCI-DSS3 is completely ignored on all but the smallest merchants. HIPAA is lightly enforced in the medical sector, if that. FERPA as well.

      In the past, banks had to worry about regulators and the threat of more laws if they didn't run a tight ship. Now, there is no incentive either way, be it a carrot for being secure, nor a stick for not taking basic security precautions. Bank customers may complain, but most of the clients would have to change too much stuff to move to another financial institution, so they won't have that many people stop doing business overall, especially if there is some vague promise of "we will do better next time".

  2. Security through obscurity - useful but inadequate by c0d3g33k · · Score: 4, Insightful

    The hackers appeared to have obtained a list of the applications and programs that run on JPMorgan's computers — a road map of sorts — which they could crosscheck with known vulnerabilities in each program and web application

    I find this interesting because it shows both the usefullness but ultimate inadequacy of security through obscurity. Had the hackers been unable to obtain this information, the implication is that the breach would not have happened, or at least not happened as soon. Without the ability to create a road map, they would have had to take the less efficient approach of randomly guessing and probing with the hope that something worked. So keeping that list of applications and programs a secret has some value.

    On the other hand, it underscores the importance of the point that people have been making about security through obscurity for decades: it's very weak security, and once that layer of the security onion is breached, there had better be stronger security layers underneath. Like patched and updated programs and web applications that close known vulnerabilities. I'm guessing that didn't happen, because the JP Morgan Chase management has probably acted like many other management teams I've had the "pleasure" of working with - they placed higher value on the secrecy than actually fixing stuff, because the former costs less, and it kind of works until it doesn't (and then that policy fails in a big way).

    I sincerely hope that these breaches light a fire under the asses of lax management at these large companies and they realize that spending the time and resources to *really* secure their systems is worth it in the long run.

    And then I laugh sadly, because that's wishful thinking.

  3. Other banks too? by Anonymous Coward · · Score: 2, Interesting

    I seem to recall hearing JP Morgan and FIVE other banks were compromised in this attack. At the time, the news (and /.) only mentioned JP Morgan by name. The consensus as I remembered was the other five banks were small and WERE too little to fail.

    Well, I would still like to know who these other victims were. What if it was a banking institution I use? I want to know if I have been exposed.

    Maybe it's time for the law to require notifications and possibly penalties to those institutions which don't take cyber security seriously.

  4. This is insane... by briancox2 · · Score: 3, Interesting

    Why have Visa and Mastercard not changed their purchase validation system?

    A static number that, once discovered, allows anyone to make a purchase until that number's use is deactivated? I should have 2-factor auth on all purchases, my credit card number should only act as a public key, or I should have the ability to generate new disposable numbers on the fly.

    They've pushed this nominclature of "identity theft" (which attempt to make consumers feel as though they've been robbed) when in truth these are just cases of fraud that were made possible and likely because Visa and Mastercard haven't improved THEIR security for about 20 years.

    --
    We should learn what we need to know about issues, before we decide what we need to feel about them.
    1. Re:This is insane... by OzPeter · · Score: 4, Interesting

      I don't know about you, but the cards I've been getting recently include a chip in order to support two factor authentication via chip and signature.

      The problem is the retailers haven't implemented terminals to support it yet.

      They are starting to. And the first place that I ever used my chipped CC at was Walmart. (Which confused the hell out of the associate who was insisting that I swipe the card, rather than inserting it into the chip reader slot)

      --
      I am Slashdot. Are you Slashdot as well?
    2. Re:This is insane... by Anubis+IV · · Score: 2

      Why have Visa and Mastercard not changed their purchase validation system?

      The short answer is that they haven't done it yet because they couldn't.

      The longer answer is that if you look into this a bit, what you'll find is that they actually started making moves back in 2012 to get the ball rolling on the shift to EMV in the US, but these things take time and almost all of the migration is actually out of their hands. It isn't possible to respond with the massive roll out that's necessary, so we're still in the process of slowly migrating (our migration is different than most other nations that have gone through a similar migration, owing mostly to the larger scale and the significantly greater penetration of the previous technology).

      Visa, Mastercard, Discover, and American Express all announced back in mid-2012 that they would be switching to EMV and implementing a liability switch for merchants who didn't keep up. But the whole thing succeeds or fails based on the cooperation of merchants who upgrade their POS systems to deal with EMV, which can mean a significant cost to them, so the merchants had to be given time to make those plans. As a result, the actual liability shift is still a year away, set to take place in October 2015.

      In the meantime, we're in a weird time, where magnetic strip technology is essentially broken, yet the replacement for it is still a year away and can't reasonably be pushed forward any sooner since the actual implementation of it is out of the credit card companies' hands.

  5. Re:"stolen?" by Anonymous Coward · · Score: 5, Insightful

    Shhhh! You'll point out the groupthink's duplicity.

    It's fine when it's about getting free shit even if that harms someone else's livelihood. Information wants to be free! But when it's YOUR info that's copied, even if you still have that info, well, that's very different, you see.

    Prepare to be modded down for saying things people don't want to hear.

  6. When I was a kid... by Anonymous Coward · · Score: 5, Insightful

    ...they used to print all of that information up in a four-inch-thick book and leave it on your doorstep every six months or so. (Minus the email addresses, of course.)

  7. Sensitive information by CimmerianX · · Score: 4, Insightful

    Chase is really spinning this by saying that no sensitive information was taken in the hack.

    Well, it seems that the crackers now have tens of millions of *confirmed* Names, addresses, phone numbers, and emails at the very least. That is a freakin treasure trove of information.

    I like my privacy and take great care not to let information out into the world. But Doctors, banks, and gov always want every bit of info on you so they make the best targets.

  8. Re:Numbers don't seem right by CJL98 · · Score: 3, Insightful

    There are only 115 million households in the US. JP Morgan lost info on 76 million. I find it hard to believe that 2/3 of the households in the US are JPMorgan/Chase customers.

    I wonder if the info stolen was actually some sort of master marketing file, perhaps from one or all three of the credit bureaus.

    I don't.. Between credit cards, mortgages, car loans, etc I can believe it. I currently have a car loan with them and within the last 5 years had a credit card.

  9. Re:Numbers don't seem right by Phreakiture · · Score: 2

    Well, I can see two factors that you're not thinking about: (1) a person having accounts at more than one institution (e.g. I do) and (2) different people in one household having accounts at different institutions (e.g. my wife and I have mostly but not entirely the same banks). It makes it quite plausible that multiple large banks could have customers in over half of the nation's households.

    This can be particularly pronounced with loans and credit cards for various reasons including "brokering" a deal for the end customer (think in terms of a car dealer or realtor finding you a loan/mortgage) and the fact that loans get bought and sold between banks.

    --
    www.wavefront-av.com
  10. And now it all makes sense by PhrostyMcByte · · Score: 3, Interesting

    My workplace gets regular audits from our clients, usually every 3-24 months depending on how big/paranoid the client is. JP Morgan Chase is one of them.

    We could tell the audit this summer was a bit different. It took about twice as long and went into much more detail than usual specifically regarding our tech side. After the audit, we got an unexpected list of demands related to stopping leaks.

    Now, we don't handle sensitive financial information for them, so it's possible they were just trying to cover all their bases and we got stuck with security theater. Irritatingly, everyone in IT immediately recognized that the demands wouldn't actually prevent leaks. When you have a company full of employees who regularly use FTP, email, and even dropbox to send files to clients, you're simply not going to be able to prevent it.

    After months of back and forth trying to kill some of the more ridiculous demands -- like blocking access to Gmail, which we use for company email -- they simply wouldn't budge. We've been wondering why they're standing so firm about it, and now it all makes sense.

  11. Re:Security through obscurity - useful but inadequ by Anonymous Coward · · Score: 2, Informative

    I have worked with JPMC several times, and can tell you you are way off base. They spend an ENORMOUS amount of money on IT and especially security.

    No system is perfect. Given enough incentive, anything can be broken. And, make no mistake, there is a TON of incentive to successfully breach a banking system. In fact, it would seem that the fact all they got was names, etc, and not banking details, shows that there systems are not near as weak as you think.

  12. Nobody cares by fulldecent · · Score: 3, Interesting

    As someone who has done research on banks and disclosed security holes (plug -- live exploits posted to http://privacylog.blogspot.com... not always obvious, not always interesting) I can tell you NOBODY cares.

    I am still working up the balls or requesting legal advice to tell me I am in the clear so I can tell you the details. But to summarize, there are still **egregious** security failures out there and they can be found by just one person. If you find one of these things you will see too that it is possible to get the federal and industry agencies on the phone that you would expect to be interested in this stuff. But it is purely a courtesy. As soon as you hang up, they will go back to focusing on botnets or revenue-impacting issues.

    --

    -- I was raised on the command line, bitch

  13. Re:Doesn't Chase SELL this???? by Anonymous Coward · · Score: 3, Funny

    That's the crime. Someone got it for free.

  14. Re:Security through obscurity - useful but inadequ by bws111 · · Score: 2

    "The point" is that no system is, or will ever be, perfect. You are the one making the claim that they are too cheap to patch systems, etc. They aren't.

    Even with their precautions someone breached them. That does not mean the money was not well spent, it just means that their system (including all the users of their system) is not perfect. I suppose YOU could make a 'perfect system' for them?

    Of course they COULD have kept that valuable customer name/email information off the internet. That would kind of make it impossible to offer on-line banking (something probably 99% of their customers want), wouldn't it.

    There will ALWAYS be tradeoffs between usability and security. A perfectly secure system would be virtually useless. The trick, of course, is finding the right balance. A breech like this does not show that balance is not currently right.