An enormous privacy breach has compromised the bank accounts of 83 million JPMorgan Chase customers, including 76 million households, spilling out customer names, addresses, phone numbers, and email addresses.
According to the New York Times, the disclosure was revealed in a securities filing on Thursday, although the attack was originally discovered in July. At first, the bank believed that about a million accounts were compromised, but security administrators slowly came to realize that the situation was much more grave. In a statement mailed out to customers, JPMorgan Chase writes that there is “no evidence that your account numbers, passwords, user IDs, date of birth or Social Security number were compromised during this attack.”
“Unlike recent attacks on retailers, we have seen no unusual fraud activity related to this incident,” the statement continues. “Your money at JPMorgan Chase is safe.”
The fact that JPMorgan Chase could be breached should send a shiver of fear through every organization on the planet.
It appears that the attackers–who were operating from overseas–obtained a list of the software applications JPMorgan uses on its computers. Then, hackers sifted through each piece of software for known security vulnerabilities, and slowly began exploiting them in June.
What makes the attack so harrowing is that banks–as opposed to recent hacking targets Home Depot and Target–are supposed to be heavily fortified. Finance should be one of our most guarded industries, for obvious reasons. If a megabank like JP Morgan Chase is this vulnerable? That’s bad news for everyone.
“The fact that JPMorgan Chase could be breached should send a shiver of fear through every organization on the planet,” Steve Hultquist, chief evangelist at RedSeal Networks, said in an email sent to Fast Company. “They are well aware of both the defenses necessary and the importance of protecting against concerted, automated attacks.” He continues:
“However, this breach demonstrates that even the best reactive technology and processes aren’t enough. Organizations need to deploy automated analysis of their entire end-to-end network access paths, using technology to find misconfigurations, unexpected consequences of configuration interactions, and other unanticipated results of the complexity of modern networked infrastructures.”
While cyberattacks have become more and more sophisticated, our current privacy safeguards have fallen behind, because security is expensive and low on the priority list for most companies.