It seems every few weeks, another organization announces a big data breach putting their customers at risk. This time it’s the largest bank in the United States. J.P. Morgan Chase announced a breach on August 27th, but initially believed the number of compromised accounts was much smaller. It wasn’t until October 2nd that they revealed 76 million households and 7 million small business accounts were compromised.
The breach lasted from mid-June through mid-August and compromised more than 90 servers. It affected bank customers who accessed chase.com and JPMorganOnline on their computer or mobile device. While the breach itself lasted two months, it’s not clear how far back the records went, so customers who accessed the site before but not during the breach may also be at risk.
What are the risks for customers?
J.P. Morgan Chase has stated the hackers did not get any information that would allow them to access customer accounts, but they did get names, contact information and email accounts. At this point the most likely threat customers will face is phishing attempts where scammers send emails with links to fraudulent web pages designed to install malware or capture their banking login information.
Identity theft is a possibility, but because the hackers did not get customer birthdates or Social Security numbers they would not have all of the information they need. However, if a hacker has a customer’s email address and contact info they could attempt to break into the email account. As I mentioned in a previous post (Gmail Account Hack Shows Why Strong Passwords Are A Must), breaking into the customer’s primary email account can give cyber criminals access to a lot of sensitive information.
How did the hackers get access?
J.P. Morgan Chase, the Federal Bureau of Investigation and the Secret Service are investigating the attack. According to anonymous sources familiar with the matter, the hackers used a compromised employee account to break into a web-development server. From there they were able to worm their way into other servers and access the sensitive data.
What can companies do to combat hackers?
Switch to two-factor authentication. Two-factor authentication requires a password and an additional step such as a code texted to the user’s phone. According to the sources close to the investigation, the vulnerable server only required users to supply a login ID and password. It is possible using two-factor authentication would have prevented the breach altogether.
Be more open about sharing best security practices. During my Bloomberg TV appearance last week, I discussed how cyber criminals collaborate and share information. Companies that are targets for hackers should share more data about their best practices and how they are stopping these attacks. It’s not a matter of helping competitors, because when major data breaches come out they can make customers more hesitant to trust their information with your company as well.