JP Morgan breach affects 7 million small businesses

US bank JPMorgan Chase says a data breach in August affected up to 76 million households and seven million small businesses

US bank JPMorgan Chase has confirmed a data breach reported in August affected up to 76 million households and seven million small businesses.

Information security experts say the disclosure in a mandatory filing with the US Securities and Exchange Commission shows data is the prime target and that traditional defences are no longer enough.

The FBI investigated the attack and several other major US banks that fuelled concerns about the cyber vulnerability of financial institutions and markets.

JPMorgan Chase confirmed attackers accessed names, addresses, phone numbers, email addresses, and "internal JPMorgan Chase information" for millions of the bank's customers.

However, the bank claims no account information such as account numbers, passwords, user IDs, dates of birth, or Social Security numbers was compromised.

The bank said it has not seen any unusual customer fraud related to this incident. But security professionals the breach could give rise to phishing attempts aimed at tricking the bank's customers into revealing login details and other banking information. 

The bank "continues to vigilantly monitor the situation and is continuing to investigate the matter," it said, which includes co-operating with government agencies in their investigations.

But the filing gave no indication of how the attackers were able to breach its IT systems and, so far, no details of the FBI’s investigation have been made public.

In response to media enquiries, the bank said it experienced only one attack, which lasted from June to August.

The apparent stealthiness of the breach is notable,” said Mike Lloyd, chief technology officer at security firm RedSeal Networks.

“It is a reminder that criminals value information highly – much the same way that military commanders value battlefield intelligence, however it is obtained.

“It is also worth noting that JPMorgan representatives said they immediately closed access paths. Ideally, vulnerable access paths would be closed off in advance, when not needed, but this is challenging in a large and fast-moving organisation,” he said.

Confirmation of the number of customers involved comes after a series of breaches at US retailers, also impacting millions of customers.

“Just because we are not hearing about such breaches in Europe, does not mean similar attacks are not going on,” said Anthony Merry, director of data protection at security firm Sophos.

“We are hearing about the data breaches in the US because of the mandatory breach-reporting laws that have yet to be introduced in Europe,” he said.

But such laws will be introduced if the proposed EU data protection law reforms are ratified in their current form, which could change the picture in Europe dramatically, said Merry.

Gajraj Singh, security analyst at security firm Tripwire, said sophisticated hackers are initially interested in reconnaissance to identify several points of weakness.

“They also look for ways to make changes to the bank’s systems that allow them to ‘hide’ in several places at once. Eliminating them in one place does not mean you have found them everywhere,” he said.

Steve Hultquist, chief evangelist at RedSeal Networks, said the fact an organisation like JP Morgan Chase could be breached should serve as a warning to every organisation.

“This breach demonstrates that even the best reactive technology and processes are not enough. Organisations need to deploy automated analysis of their entire end-to-end network access paths, using technology to find misconfigurations, unexpected consequences of configuration interactions, and other unanticipated results of the complexity of modern networked infrastructures.

“Using proactive cyber attack prevention, organisations can be sure that their monitoring and reactive technologies are properly placed, that their network zones are correctly implemented, and can more precisely understand the implications of their overall set of network configurations,” he said.

In a letter to shareholders earlier this year, JPMorgan Chase said it planned to deploy over 1,000 people and budget $250m annually to focus on cyber security, reports CNN Money.

“Attacks like these are frustrating,” the bank said in a statement on its website. “There are always lessons to be learned, and we will learn from this one and use that knowledge to make our defenses even stronger.”

Read more on Privacy and data protection