What Security Lessons Did We Learn From The JP Morgan Chase & Co Breach?

Duncan MacRae is former editor and now a contributor to TechWeekEurope. He previously edited Computer Business Review's print/digital magazines and CBR Online, as well as Arabian Computer News in the UAE.

Follow on:

We may still see piggyback attacks where cybercriminals launch social engineering attacks

As many as 84 million bank account details have been illegally accessed during a cyber attack on one of America’s largest bank’s this summer, it has been revealed.

JPMorgan Chase & Co said that 76 million household accounts and 7 million small business accounts were at risk of compromise during the security breach.

Names, phone numbers, addresses and email addresses were among the data stolen. But how much more do we know about this massive cyber attack? And what lessons can we learn from it? Here’s what the exerts have to say:

bank robberGavin Millard, Tenable’s EMEA technical director

“Yet another breach of a huge amount of personal information but little detail of how the attack occurred is disclosed. Was it a phishing attack directed towards a JP Morgan employee, a zero day vulnerability utilised or simply a poorly configured edge device giving access? Organizations would benefit from more information sharing between investigators and interested affected parties, but today’s business environment does not support that as common practice. We need to take a closer look at why it’s problematic to share and what’s being done to improve information sharing. This would benefit every other business defending against attack.”

David Robinson, chief security officer at Fujitsu UK & Ireland

Another day, another cyber-attack. These malicious crimes continue to grow in frequency, size and complexity, making the issue of cyber security one of upmost importance for the industry. According to research from Fujitsu UK & Ireland, only 9% of consumers believe that organisations are doing enough to secure their data. The research also revealed that although every industry has seen a drop in trust over the last 10 years, it was the financial sector that had lost the most trust with customers.

Senior managers within the industry know that the such attacks can both damage the business and its reputation with customers, which is why they are investing heavily in staying one step ahead of the criminals. They continue to invest in the latest security tools, in ensuring that staff have the latest, most up-to-date skills, as well as in preparing appropriate contingency plans for use in the still-rare occasions when defences are breached. We should all remember that the banks successfully foil many more attacks than ever get reported in the media.

Tod Beardsley, engineering manager, Rapid7

“Unfortunately we may still see piggyback attacks where cybercriminals launch social engineering attacks to cash in on the customer anxiety that follows the news cycle surrounding reports of any big-name breach.  The usual advice applies: If you get an e-mail or a call from a JP Morgan rep, feel free to thank them for contacting you and hang up. Customers should always initiate that contact by looking at their credit card or statement for the contact number; you simply can’t trust that an incoming call or e-mail is legitimate and not a phishing attempt.”

Garry Sidaway, global director of security strategy, NTT Com Security

“The good news on this story is the fact that the time to detect the breach is significantly shorter than the average. But it does still indicate the huge challenges every business has against the increasingly complex threat landscape. My concern now is making sure that the lessons are learned and that information security and risk management are embedded into the business to protect personal data . Also as we have seen through the Global Threat Intelligence report, how they manage the incident is also critical”.

Barry Scott, CTO, Centrify

“It’s not always losing a username and password that’s directly the problem, although that’s very serious. Loss of data such as names, e-mail addresses, home addresses and phone numbers are all part of the jigsaw that make up a persons digital presence, and can form a good basis for further targeted attacks on that individual and the other services they use. How many people will be getting phishing phone calls as a result of their phone number being lost in this breach, with the caller using other information to try and prove that they are genuine?”

Tim Erlin, director of IT security and risk strategy, Tripwire

“It remains unclear whether this is a second, separate incident, or simply further discovery of how far the first compromise reaches. The initial identified scope of a breach is hardly ever the full picture. All other large financial institutions should take note of this incident, and not only scrutinise their defenses, but prepare for a public response before it’s needed. Large banks like JP Morgan are under constant cyber-attack, and they thwart the majority of attempted break-ins. While there’s little doubt that JP Morgan has taken action since the original incident was reported, the size and complexity of their network means they are unlikely to have rolled out new protections comprehensively by now. In situations like this, time is always the enemy.”

Gajraj Singh, security analyst, Centrify

“Initially, sophisticated hackers are interested in reconnaissance, this allows them to identify several points of weakness. They also look for way to make changes to the bank’s systems that allow them to ‘hide’ in several places at once. Eliminating them in one place doesn’t mean you’ve found them everywhere.”

How much do you know about hackers? Take our quiz!