This latest major cyber-attack follows high profile data breaches at Barclays earlier this year, and the US retail giants Home Depot and Target, at the back-end of 2013. The Target breach was larger than the current story being reported from JPMorgan, though the ramifications of the attack on the bank could be far greater given the sensitive nature of the information held.
Retailers are not known to be at the forefront of security investments as they protect customer information and comparatively low value physical goods. Obviously, with banks the situation is very different as they look after cash and highly valuable assets.
Initial public reports appear to indicate that the hackers breached JPMorgan’s network via an employee’s personal computer, with malware establishing a VPN tunnel into the bank’s network. At this early stage it appears that the compromised data was restricted to contact information, rather than account information like passwords, so the danger to businesses and customers lies in cold calling and fraudulent emails.
JPMorgan customers must now be extra vigilant when contacted by anyone purporting to be from the bank to ensure they are not subject to ‘social engineering’ communications.
More worryingly, the hackers stole details of the bank’s application infrastructure, which is an inventory of every program the bank uses. Such information can greatly assist in future attacks. Not only is it a useful blueprint that eliminates guess-work on behalf of the hackers, it is also a guide to vulnerabilities to exploit.
Planned or opportunistic, it will be of value to criminals until JPMorgan changes its infrastructure, which could take months. In assessing the fallout, JPMorgan will be challenged to choose between application change, new security controls and improved architecture.
According to The New York Times, JPMorgan believed only 1 million accounts were affected a few weeks ago. Now they are reporting 83 million accounts are at risk – comprising 7 million small business accounts and 76 million personal accounts – and there is nothing to stop us speculating that it could be even more. This number is staggering; with the number of personal accounts affected exceeding the number of inhabitants of the UK.
Such high profile institutions are holy grails for cyber-hackers and their systems have to withstand attacks almost constantly. Speed of reaction is the key but this one went undetected for a month or more. The reoccurrence of such massive data breaches demonstrates that cybercrime is not high enough on the agenda of boards at the largest companies. The threats to systems are complex and constantly evolving so organisations’ security systems and protocols must evolve at the same pace to prevent similar catastrophes.