Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Security

JP Morgan Chase Breach Compromised Data of 76 Million Households 76

JakartaDean writes with news that the cyberattack on J.P. Morgan Chase this summer resulted in stolen information on 76 million households and 7 million businesses. The compromised data included names, email addresses, phone numbers, and addresses. The bank said the attackers were unable to gather account numbers, social security numbers, or passwords. The hackers appeared to have obtained a list of the applications and programs that run on JPMorgan's computers — a road map of sorts — which they could crosscheck with known vulnerabilities in each program and web application, in search of an entry point back into the bank's systems, according to several people with knowledge of the results of the bank's forensics investigation, all of whom spoke on the condition of anonymity. ... Even if no customer financial information was taken, the apparent breadth and depth of the JPMorgan attack shows how vulnerable Wall Street institutions are to cybercrime.
This discussion has been archived. No new comments can be posted.

JP Morgan Chase Breach Compromised Data of 76 Million Households

Comments Filter:
  • To Big To Fail (Score:5, Informative)

    by BringsApples ( 3418089 ) on Friday October 03, 2014 @09:14AM (#48055511)
    To Big To Be Accountable
    • Re:To Big To Fail (Score:5, Insightful)

      by i kan reed ( 749298 ) on Friday October 03, 2014 @09:30AM (#48055631) Homepage Journal

      There's definitely more than a little of that here, but in the internet era, the most important principle I've noticed is Too Big To Pass Up. If you're a hacker, a score of personal information numbering in the millions is essentially worth years and years and years of effort, huge investments of money, and risking obscene levels of punishment.

      The payout is too big not to. So big corporations make really really appealing targets. You're right that making big corporations more accountable for how they protect data would help a lot, but even if they were spending small fortunes on software security, things like heartbleed would still happen, where they're exposed and can do nothing about it.

      And I don't see a solution. More smaller companies might work. Maybe.

      • Re: (Score:2, Insightful)

        by Anonymous Coward

        "and risking obscene levels of punishment."

        Hardly. The hackers mainly come from Russia or China. How is JP Morgan Chase supposed to punish them, even if they know exactly who they are? There's no risk at all for the hackers, which is why it keeps happening.

        • by mlts ( 1038732 )

          Russia, China, Middle East, etc. Unlike the Internet when there was a threat of having the upstream pull the connection, so there was incentive of minding the store when it came to attacks, there is none now. In fact, some countries encourage it, since they dislike the West and view any place there as open season.

          Realistically, the only solution is to do like the US Government with SIPRNet and NIPRNet, and have dedicated wires (not VPNs or stuff running over existing Internet connections) for a financial

      • I have a Chase account and since early/mid summer I have been getting fairly well written demands from my "ISP" telling me I need to go online to enable antivirus protection for my e-mail account.

        I haven't visited the sites I'm told to visit (not my real ISP addresses but similar) but wouldn't be surprised if that is the first step to compromising my computer to scrape login information to my Chase account, and also being able to intercept any e-mail alerts to fraudulent activity. If they mapped Chase's
        • Our options are limited.

          The internet, by its nature, invites all the complexities of international law. It used to be you wouldn't have to worry about that unless you were near a border, on board a plane, or running a multinational corporation. Now it's a problem for everyone. People commit fraudulent crimes from places where they happen to be legal or unenforced, and every different way of doing things invites a new loophole.

      • Well, you're certainly correct. There's nothing that can be done to prevent every possible attack. And hey, maybe the reason that they didn't move all money into one account and close all the rest was because it would have triggered an alarm or two that are in place. But knowing that my SS# is out there makes me less secure, seeing as how it's how my bank recognizes (or confirms) me for all sorts of different reasons.

        So in my saying "To Big To Be Accountable", I mean to say "What are they going to do
        • The "security that used to be" was air gaps and manual processing of almost everything. It's the same security as living 2 miles from your neighbors before cars were invented.

      • Re:To Big To Fail (Score:4, Interesting)

        by mlts ( 1038732 ) on Friday October 03, 2014 @10:37AM (#48056211)

        This is "all eggs in one basket" syndrome, and it is only going to get worse as more people move to the cloud, LEOs of various countries (the example of countries demanding access to Blackberry's BIS servers comes to mind) getting their backdoors (and thus a database of keys to them), and more data in general is stashed in one place.

        To boot, there is no real financial gain by companies in general to actually bother with more than token security. They lose nothing by a major compromise, as they will have zero consequences if someone's personal info or medical records get compromised. Same with cloud data. There are no laws securing it. Even in the financial sector, Visa will just do a light hand slap if PCI-DSS3 is completely ignored on all but the smallest merchants. HIPAA is lightly enforced in the medical sector, if that. FERPA as well.

        In the past, banks had to worry about regulators and the threat of more laws if they didn't run a tight ship. Now, there is no incentive either way, be it a carrot for being secure, nor a stick for not taking basic security precautions. Bank customers may complain, but most of the clients would have to change too much stuff to move to another financial institution, so they won't have that many people stop doing business overall, especially if there is some vague promise of "we will do better next time".

        • I'm wary of your "in the past" statement. When exactly in the past do you mean?

          • Probably before Clinton and the Republican Congress gutted bank regulators.
            What did you think he meant?
            • Well, I mean only a few years before that was the fucking savings and loan crisis. Those idealized halcyon days should probably exist before we talk about how we have abandoned their principals. If you know me, you'll know I'm no fan of imaginary free market solutions to systemic problems, but the past was just as rife with pointless deregulation as today.

  • ... Everybody listens.
  • by c0d3g33k ( 102699 ) on Friday October 03, 2014 @09:33AM (#48055657)

    The hackers appeared to have obtained a list of the applications and programs that run on JPMorgan's computers — a road map of sorts — which they could crosscheck with known vulnerabilities in each program and web application

    I find this interesting because it shows both the usefullness but ultimate inadequacy of security through obscurity. Had the hackers been unable to obtain this information, the implication is that the breach would not have happened, or at least not happened as soon. Without the ability to create a road map, they would have had to take the less efficient approach of randomly guessing and probing with the hope that something worked. So keeping that list of applications and programs a secret has some value.

    On the other hand, it underscores the importance of the point that people have been making about security through obscurity for decades: it's very weak security, and once that layer of the security onion is breached, there had better be stronger security layers underneath. Like patched and updated programs and web applications that close known vulnerabilities. I'm guessing that didn't happen, because the JP Morgan Chase management has probably acted like many other management teams I've had the "pleasure" of working with - they placed higher value on the secrecy than actually fixing stuff, because the former costs less, and it kind of works until it doesn't (and then that policy fails in a big way).

    I sincerely hope that these breaches light a fire under the asses of lax management at these large companies and they realize that spending the time and resources to *really* secure their systems is worth it in the long run.

    And then I laugh sadly, because that's wishful thinking.

    • Re: (Score:2, Informative)

      by Anonymous Coward

      I have worked with JPMC several times, and can tell you you are way off base. They spend an ENORMOUS amount of money on IT and especially security.

      No system is perfect. Given enough incentive, anything can be broken. And, make no mistake, there is a TON of incentive to successfully breach a banking system. In fact, it would seem that the fact all they got was names, etc, and not banking details, shows that there systems are not near as weak as you think.

      • Well, that's hardly comforting. So even spending an ENORMOUS amount of money on IT and security can't prevent your system from being breached in a big and spectacular way? Then either that enormous amount of money was spent poorly, or that information should not have been exposed to the internet in the first place until it was properly secured. They were breached, in a big way. So their systems were exactly as weak as I think, enormous expenditure aside. I fail to see your point. "They tried REALLY ha

        • by bws111 ( 1216812 )

          "The point" is that no system is, or will ever be, perfect. You are the one making the claim that they are too cheap to patch systems, etc. They aren't.

          Even with their precautions someone breached them. That does not mean the money was not well spent, it just means that their system (including all the users of their system) is not perfect. I suppose YOU could make a 'perfect system' for them?

          Of course they COULD have kept that valuable customer name/email information off the internet. That would kind o

      • You also forget that there is spending a metric shit ton of money on products and actually being effective. Working in the field of computer security I see an awful lot of buy our magic product and it will do everything but get the cute girl in accounting to suck you off type of stuff. When you actually dig in you find out that most of it is a presentation targeted towards managers who know buzzwords and PowerPoint slides [dilbert.com] but the tool is completely worthless. I'm looking at you "event correlation tools" as
  • Other banks too? (Score:2, Interesting)

    by Anonymous Coward

    I seem to recall hearing JP Morgan and FIVE other banks were compromised in this attack. At the time, the news (and /.) only mentioned JP Morgan by name. The consensus as I remembered was the other five banks were small and WERE too little to fail.

    Well, I would still like to know who these other victims were. What if it was a banking institution I use? I want to know if I have been exposed.

    Maybe it's time for the law to require notifications and possibly penalties to those institutions which don't take

  • ... legislate to regulate.

    Until the likes of JP Morgan Chase feels pain, this crap will continue.

    We need security liability laws.

  • This is insane... (Score:4, Interesting)

    by briancox2 ( 2417470 ) on Friday October 03, 2014 @09:36AM (#48055685) Homepage Journal
    Why have Visa and Mastercard not changed their purchase validation system?

    A static number that, once discovered, allows anyone to make a purchase until that number's use is deactivated? I should have 2-factor auth on all purchases, my credit card number should only act as a public key, or I should have the ability to generate new disposable numbers on the fly.

    They've pushed this nominclature of "identity theft" (which attempt to make consumers feel as though they've been robbed) when in truth these are just cases of fraud that were made possible and likely because Visa and Mastercard haven't improved THEIR security for about 20 years.
    • I don't know about you, but the cards I've been getting recently include a chip in order to support two factor authentication via chip and signature.

      The problem is the retailers haven't implemented terminals to support it yet.

      • Re:This is insane... (Score:5, Interesting)

        by OzPeter ( 195038 ) on Friday October 03, 2014 @09:45AM (#48055787)

        I don't know about you, but the cards I've been getting recently include a chip in order to support two factor authentication via chip and signature.

        The problem is the retailers haven't implemented terminals to support it yet.

        They are starting to. And the first place that I ever used my chipped CC at was Walmart. (Which confused the hell out of the associate who was insisting that I swipe the card, rather than inserting it into the chip reader slot)

      • I wasn't referring to transactions where a card is physically present. I'm talking about the online use of the information where the only thing required is a static set of numbers. But I would also like to see disposable (one-use) numbers available for physical transactions using my phone as a 2-factor auth.
    • > Why have Visa and Mastercard not changed their purchase validation system?

      This story has nothing whatsoever to do with credit cards. The bad guys got a list of names and email addresses - a phone book.

      • My point raymorris, is that that should not be possible! You shouldn't be able to obtain a static number and then have the right to start charging money. The story just highlights how wrong the current system is.
        • > ! You shouldn't be able to obtain a static number and then have the right to start charging money. . The story just highlights how wrong the current system is.

          No, it doesn't. The story has absolutely nothing whatsoever to do with credit cards. That's a completely unrelated topic. Maybe credit card numbers are stupid, maybe Obama is stupid, maybe you're stupid. This story has absolutely nothing to do with any of those things.

          • Doh!

            So, I have made a new resolution. I will RTFA or at least drink coffee in the morning before posting on /. from now on. =)
            • Well that's an unexpectedly gracious and humble reply to a post which included the words "maybe you're stupid".
              I'm sorry for including those words. Maybe you're a gentleman and a scholar, fine sir.

              • Thank you. I have pretty thick skin. But I'm glad to cool things down also when I realized I wasn't paying enough attention. Mea culpa.
    • Why have Visa and Mastercard not changed their purchase validation system?

      The short answer is that they haven't done it yet because they couldn't.

      The longer answer is that if you look into this a bit, what you'll find is that they actually started making moves back in 2012 to get the ball rolling on the shift to EMV in the US, but these things take time and almost all of the migration is actually out of their hands. It isn't possible to respond with the massive roll out that's necessary, so we're still in the process of slowly migrating (our migration is different than most other

    • https://www.mbnashopsafe.com/o... [mbnashopsafe.com]
      It's been around for over ten years. It provides disposable numbers. Each new number is locked into a single payee, and you can update/set the expiration date and credit limit for these numbers, so you never have to reveal the "root" CC number - not even for recurring bills .
      I don't think you can change the name on the card or the billing address.
  • by Anonymous Coward on Friday October 03, 2014 @09:39AM (#48055715)

    ...they used to print all of that information up in a four-inch-thick book and leave it on your doorstep every six months or so. (Minus the email addresses, of course.)

  • by CimmerianX ( 2478270 ) on Friday October 03, 2014 @09:39AM (#48055717)

    Chase is really spinning this by saying that no sensitive information was taken in the hack.

    Well, it seems that the crackers now have tens of millions of *confirmed* Names, addresses, phone numbers, and emails at the very least. That is a freakin treasure trove of information.

    I like my privacy and take great care not to let information out into the world. But Doctors, banks, and gov always want every bit of info on you so they make the best targets.

    • by antdude ( 79039 )

      And it is difficult to keep them under our control aftre we give them our personal datas. Who knows how much got leaked out even if there were no breaches. :(

  • by Anonymous Coward

    There are only 115 million households in the US. JP Morgan lost info on 76 million. I find it hard to believe that 2/3 of the households in the US are JPMorgan/Chase customers.

    I wonder if the info stolen was actually some sort of master marketing file, perhaps from one or all three of the credit bureaus.

    • Re: (Score:3, Insightful)

      by CJL98 ( 3818121 )

      There are only 115 million households in the US. JP Morgan lost info on 76 million. I find it hard to believe that 2/3 of the households in the US are JPMorgan/Chase customers.

      I wonder if the info stolen was actually some sort of master marketing file, perhaps from one or all three of the credit bureaus.

      I don't.. Between credit cards, mortgages, car loans, etc I can believe it. I currently have a car loan with them and within the last 5 years had a credit card.

    • Well, I can see two factors that you're not thinking about: (1) a person having accounts at more than one institution (e.g. I do) and (2) different people in one household having accounts at different institutions (e.g. my wife and I have mostly but not entirely the same banks). It makes it quite plausible that multiple large banks could have customers in over half of the nation's households.

      This can be particularly pronounced with loans and credit cards for various reasons including "brokering" a deal for

    • JP-Chase handles foodstamps accounts...
  • by PhrostyMcByte ( 589271 ) <phrosty@gmail.com> on Friday October 03, 2014 @10:28AM (#48056143) Homepage

    My workplace gets regular audits from our clients, usually every 3-24 months depending on how big/paranoid the client is. JP Morgan Chase is one of them.

    We could tell the audit this summer was a bit different. It took about twice as long and went into much more detail than usual specifically regarding our tech side. After the audit, we got an unexpected list of demands related to stopping leaks.

    Now, we don't handle sensitive financial information for them, so it's possible they were just trying to cover all their bases and we got stuck with security theater. Irritatingly, everyone in IT immediately recognized that the demands wouldn't actually prevent leaks. When you have a company full of employees who regularly use FTP, email, and even dropbox to send files to clients, you're simply not going to be able to prevent it.

    After months of back and forth trying to kill some of the more ridiculous demands -- like blocking access to Gmail, which we use for company email -- they simply wouldn't budge. We've been wondering why they're standing so firm about it, and now it all makes sense.

  • that if i took a little bit of time on Google, I could find all this information as well...in the yellow pages...SMH
    • So how long to Google 76 million? I am not in the Yellow pages and a google of me turns up zilch. I need to have faith that people I do share this info with don't let it get away.
      • Two things... A) The right piece of code and the right piece of hardware could burn through 76 million searches rather quickly...Facebook itself has how many users with phone numbers and addresses? My android fones like to automagically take all my google plus contacts/email addys and facebook contacts and put them in my personal contact lists for me (i have to shut this off, as I don't like having to scroll through thousands of contacts to find my local friends whom I desire to call... B) Go check out t
  • The compromised data included names, email addresses, phone numbers, and addresses.

    Holy defecation Batman! Hackerz stole a phone book!

    • Don't trivialize this by ignoring the true nature of the breach.

      This is more like obtaining an exclusive unlisted client list detailing who exactly is doing business with a given organization. The phone book doesn't provide that connection - knowing names, addresses and phone numbers doesn't tell you which crucial and vulnerable businesses are associated with a household. Obtaining the same information from a business of interest is a different story entirely. Metadata is crucially important.

  • Nobody cares (Score:4, Interesting)

    by fulldecent ( 598482 ) on Friday October 03, 2014 @11:05AM (#48056433) Homepage

    As someone who has done research on banks and disclosed security holes (plug -- live exploits posted to http://privacylog.blogspot.com... [blogspot.com] not always obvious, not always interesting) I can tell you NOBODY cares.

    I am still working up the balls or requesting legal advice to tell me I am in the clear so I can tell you the details. But to summarize, there are still **egregious** security failures out there and they can be found by just one person. If you find one of these things you will see too that it is possible to get the federal and industry agencies on the phone that you would expect to be interested in this stuff. But it is purely a courtesy. As soon as you hang up, they will go back to focusing on botnets or revenue-impacting issues.

    • I've been saying this for years there needs to be some kinda national security committee that exploits are sent too. If said company ignores the problem they get fined big time that's the only think theses corporations care about, Money. so we need to start making the fines much larger and maybe criminal charges as well. Think about it who are they going to listen to first some stranger like you who has no power or a Government Office that has the power to shut them down and fine and jail?
    • NSA's Information Assurance Division (not the spooks) works hard to help and to convince Big Corp to clean up their act. They recognize that financial IT security is fundamental to national security. Also, the FBI has a group that works to help companies improve security. So you might reach out to one of them.

      The fundamental problem is typified by Home Depot's management - as a Redditor noted, when IT asked for budget to implement essential security, their upper management said, "We sell nails and hammer

  • That phrase is quickly turning into the newest oxymoron.

    Hey I know lets stitch together these 8 completely open and utterly un-certifiable frameworks, have everything talk to each other through XML files, store high value passwords in them so we can just look at the database like a black box. Then lets expose all that to the world of hackers and madmen and then act surprised when we discover its been broken into!

  • JPM's audits have been "qualified" by PWC for the last couple of years, because (despite inhouse reports) the CIO has refused to implement proper controls. People in JPM who have reported these problems have been fired - from what I've heard, three heads of Risk Management have been fired in the last three years, each time after telling the CIO that he needs to fix these before their pension fund clients have to take action.

news: gotcha

Working...