| The Seattle Times | - |
Investigators
remain puzzled by the attack on the bank because there is no evidence
that the attackers looted any customer money from accounts.
JPMorgan: Millions of accounts compromised in cyberattack
Investigators remain puzzled by the attack on
the bank because there is no evidence that the attackers looted any
customer money from accounts.
The New York Times
Related
Reader Comments
A cyberattack this summer on JPMorgan Chase compromised more
than 76 million household accounts and 7 million small-business
accounts, making it among the largest corporate hacks ever discovered.
The latest revelations, which were disclosed in a regulatory filing Thursday, vastly dwarf earlier estimates that hackers had gained access to roughly 1 million customer accounts.
JPMorgan Chase said that names, addresses, phone numbers and email addresses were stolen from the company’s servers, but only customers who use the websites Chase.com and JPMorganOnline and the apps ChaseMobile and JPMorgan Mobile were affected.
The New York-based bank said there’s no evidence that the data breach included account numbers, passwords, Social Security numbers or dates of birth. It also said it has not seen any unusual customer fraud stemming from the data breach.
The bank discovered the intrusion on its servers in mid-August and has since determined that the breach began as early as June, spokeswoman Patricia Wexler said.
“We have identified and closed the known access paths,” she said, declining to elaborate.
In response to the data breach, the company has disabled compromised accounts and reset passwords of all its technology employees, Wexler said.
The Chase heist is even more disturbing than the recent retail breaches because banks are supposed to have fortresslike protection against intruders, said Gartner security analyst Avivah Litan.
“This is really a slap in the face of the American financial-services system,” Litan said. “Honestly, this is a crisis point.”
That means consumers and business owners need to pore over their financial statements for any sign of suspicious activity.
And people should be more leery than ever of unsolicited phone calls from purported bank representatives, emails fishing for their financial information and even uninvited guests knocking at their doors.
“You have to be paranoid now. You can’t slack off,” Litan said. “There is no such thing as data confidentiality anymore. Everything is out there.”
The new details about the extent of the hack — which began in June but was not discovered until July — sent JPMorgan scrambling for the second time in just three months to contain the fallout.
Hackers were able to burrow deep into JPMorgan’s computer systems, accessing the accounts of more than 90 servers — a breach that underscores just how vulnerable the global financial system is to cybercrime. Until now, most of the largest hack attacks on corporations have been confined to retailers like Target and Home Depot.
Investigators in law enforcement remain puzzled by the attack on the bank because there is no evidence that the attackers looted any customer money from accounts.
The lack of any apparent profit motive has generated speculation among law-enforcement officials and security experts that the hackers were sponsored by foreign governments either in Russia or in southern Europe.
By the time JPMorgan first suspected the breach in late July, hackers had already “rooted” more than 90 computer servers — hacker-speak for gaining the highest level of privilege to those machines — according to several people briefed on the results of the bank’s forensics investigation who were not allowed to discuss it publicly.
More disturbing still, these people say, hackers made off with a list of the applications and programs that run on every standard JPMorgan computer — a hacker’s road map of sorts — which hackers could cross-check with known vulnerabilities in each program and Web application, in search of an entry point back into the bank’s systems.
These people said it would take months for the bank to swap out its programs and applications and renegotiate licensing deals with its technology suppliers, leaving hackers plenty of time to mine the bank’s systems for unpatched, or undiscovered, vulnerabilities that would allow them re-entry into JPMorgan’s systems.
The original hack sent ripples through the financial system and prompted an FBI investigation, even as Wall Street, which has been a frequent target for hackers in recent years, worked to guard against the threats.
The bank was also forced to update its regulators, including the Federal Reserve, on the extent of the breach. The bank said at the time that there was no indication that any customer money was taken and that it believed it had secured all its systems.
Material from The Associated Press is included in this report.
Want unlimited access to seattletimes.com? Subscribe now!
The latest revelations, which were disclosed in a regulatory filing Thursday, vastly dwarf earlier estimates that hackers had gained access to roughly 1 million customer accounts.
JPMorgan Chase said that names, addresses, phone numbers and email addresses were stolen from the company’s servers, but only customers who use the websites Chase.com and JPMorganOnline and the apps ChaseMobile and JPMorgan Mobile were affected.
The New York-based bank said there’s no evidence that the data breach included account numbers, passwords, Social Security numbers or dates of birth. It also said it has not seen any unusual customer fraud stemming from the data breach.
The bank discovered the intrusion on its servers in mid-August and has since determined that the breach began as early as June, spokeswoman Patricia Wexler said.
“We have identified and closed the known access paths,” she said, declining to elaborate.
In response to the data breach, the company has disabled compromised accounts and reset passwords of all its technology employees, Wexler said.
The Chase heist is even more disturbing than the recent retail breaches because banks are supposed to have fortresslike protection against intruders, said Gartner security analyst Avivah Litan.
“This is really a slap in the face of the American financial-services system,” Litan said. “Honestly, this is a crisis point.”
That means consumers and business owners need to pore over their financial statements for any sign of suspicious activity.
And people should be more leery than ever of unsolicited phone calls from purported bank representatives, emails fishing for their financial information and even uninvited guests knocking at their doors.
“You have to be paranoid now. You can’t slack off,” Litan said. “There is no such thing as data confidentiality anymore. Everything is out there.”
The new details about the extent of the hack — which began in June but was not discovered until July — sent JPMorgan scrambling for the second time in just three months to contain the fallout.
Hackers were able to burrow deep into JPMorgan’s computer systems, accessing the accounts of more than 90 servers — a breach that underscores just how vulnerable the global financial system is to cybercrime. Until now, most of the largest hack attacks on corporations have been confined to retailers like Target and Home Depot.
Investigators in law enforcement remain puzzled by the attack on the bank because there is no evidence that the attackers looted any customer money from accounts.
The lack of any apparent profit motive has generated speculation among law-enforcement officials and security experts that the hackers were sponsored by foreign governments either in Russia or in southern Europe.
By the time JPMorgan first suspected the breach in late July, hackers had already “rooted” more than 90 computer servers — hacker-speak for gaining the highest level of privilege to those machines — according to several people briefed on the results of the bank’s forensics investigation who were not allowed to discuss it publicly.
More disturbing still, these people say, hackers made off with a list of the applications and programs that run on every standard JPMorgan computer — a hacker’s road map of sorts — which hackers could cross-check with known vulnerabilities in each program and Web application, in search of an entry point back into the bank’s systems.
These people said it would take months for the bank to swap out its programs and applications and renegotiate licensing deals with its technology suppliers, leaving hackers plenty of time to mine the bank’s systems for unpatched, or undiscovered, vulnerabilities that would allow them re-entry into JPMorgan’s systems.
The original hack sent ripples through the financial system and prompted an FBI investigation, even as Wall Street, which has been a frequent target for hackers in recent years, worked to guard against the threats.
The bank was also forced to update its regulators, including the Federal Reserve, on the extent of the breach. The bank said at the time that there was no indication that any customer money was taken and that it believed it had secured all its systems.
Material from The Associated Press is included in this report.
Want unlimited access to seattletimes.com? Subscribe now!
end quote from:
No comments:
Post a Comment