The cyberattack at JP Morgan in August could have been prevented by a simple security update: adding two-factor authentication to one of its servers that didn’t have the added security layer, according to the New York Times.
“The oversight is now the focus of an internal review at JPMorgan that seeks to identify whether there are any other unguarded holes in the bank’s vast network, several of the people briefed on the matter said, adding that, internally, the episode is seen as an embarrassment,” the Times said in its report. “The relatively simple nature of the attack — some details of which have not been previously reported — puts the breach in a new light.”
The attack was originally reported to affect about 76 million customers and small businesses. The number has reached 83 million and hackers received access to sensitive customer data, although no widespread fraud has been seen yet.
“The bank maintains that the damage to customers was limited to the theft of email passwords, home addresses and phone numbers,” according to the NYT. It is still not known where the attack originated.
Two-factor authentication is a simple security measure that can thwart many attacks. Just having a stolen password is not enough when this measure is in place since a second one-time password is needed to gain access. Hackers stole an employee password at JP Morgan and had simple two-factor authentication been installed on all servers, this could have been prevented.
When the WHIR reported on the cyberattack in October, we spoke to security expert Andrew Avanessian, EVP of Avecto Consultancy & Technology Services. He said then that simple security measures likely could have prevented the attack and that there are generally commonalities between the kinds of breaches at companies like JP Morgan, Target and Home Depot.
Implementing simple security measures such as two-factor authentication, administrative privileges and blocking all programs that aren’t whitelisted takes care of most potential security holes. These are among some of the suggestions made by the Council on Cybersecurity.
Protecting customer data has always been important, but now possibly even more so. Earlier in December, a Minnesota US District court judge ruled that Target can be sued for negligence due to the 2013 security breach. Several banks that want to file suit against the company for the malware incident scored a victory when the judge sided with them. This ruling sets a precedent that could put service providers at great risk if they don’t take every possible measure to protect customer data.
“A large part of the problem, security experts say, is that it has become nearly impossible for banks of JPMorgan’s size to secure their networks, particularly as they integrate the networks of companies they acquire with their own,” said the Times article. “This has been a particular headache at JPMorgan, where it is still not uncommon for the name ‘Bank One’ — a lender JPMorgan merged with a decade ago — to pop up in a web URL.”
This indicates simply being a large organization is not necessarily an advantage, and may actually be a disadvantage when it comes to cybersecurity. In May, the New York State Department of Financial Services released a report stating that financial institutions of all sizes experienced attempted or actual intrusions over the past three years.
Security breaches are on the rise this year with several major companies experiencing hacks of varying severity using a variety of methods. JP Morgan, Kmart, Dairy Queen, Home Depot, Xbox, ICANN and Sony have all been the target of hacks designed to obtain sensitive data.
Turnover may also affect the security of an institution. The attacks at JP Morgan came after the bank’s chief information security officer left earlier this year along with other top security specialists, leaving the security team short on leadership for months. JP Morgan just hired Greg Rattray to fill this position in June.