In a regulatory filing on Thursday, JP Morgan said the cybersecurity attack first discovered in August actually affected 76 million households and seven million SMBs. The bank originally reported that only one million people were affected. At the end of August multiple sources reported that JP Morgan was among five US banks to be targeted this summer.
This number puts the JP Morgan cybersecurity breach ahead of other large attacks this year, including at Home Depot where 56 million were affected and Target where 70 million accounts were exposed. A recent Harris poll poll found that American’s concern over cybersecurity is even higher than worries over national security.
“The firm vigilantly continues to monitor the situation and continues to investigate the matter. In addition, the firm is fully cooperating with government agencies in connection with their investigations,” the filing said.
Comments such as the one Edward J. Markey, member of the Senate Commerce Committee made Thursday only serve to further increase public distrust of institutions and technology systems such as cloud-based computing protecting their data. “The data breach at JPMorgan Chase is yet another example of how Americans’ most sensitive personal information is in danger.”
Although JP Morgan hasn’t yet commented beyond the filing, the New York Times reported that company spokeswoman Kristin Lemkau said that describing the hack as among the largest was “comparing apples and oranges.” Just comparing the number of customers affected puts this its attack puts it towards the top of the list of large cybersecurity attacks.
Cybersecurity is generally a high priority at financial institutions given the sensitive nature of the data they protect. Unfortunately, the attacks at JP Morgan came after the bank’s chief information security officer left earlier this year along with other top security specialists, leaving the security team short on leadership for months. JP Morgan just hired Greg Rattray to fill this position in June.
Customer contact data such as name, address, phone and email were accessed by the hackers. JP Morgan still reported that no fraud had occurred and that customers will not be liable for unauthorized transactions as long as they are reported.
The Wall Street Journal reported, “J.P. Morgan reiterated that it hadn’t seen unusual levels of fraud since the attack…customers don’t need to change their passwords or account information.” Although there has been no direct fraud as of yet, email addresses could be used in future phishing attack. JP Morgan customers should be suspicious of any emails claiming to be from the bank. Nearly 70 percent of IT professionals experience such an attack once a week.
Given recent widespread vulnerabilities such as Shellshock and Heartbleed, it would be nothing less than prudent to simply change one’s password after such a security breach. Andy Ellis, Chief Security Officer of Akamai, notes in a blog post that Shellshock, with its original failed attempt at a fix, “presents an unusually complex threat landscape as it is an industry-wide risk.”
Venture capital is flooding to cybersecurity in an attempt increase protection. About $788 million will be invested in cybersecurity startups this year, an increase of 74 percent over last year. More established protection companies such as Cloudflare, FireEye and Fireblade have financial institutions as customers. In a 2013 letter to shareholders, CEO Jamie Dimon wrote that JP Morgan spends about $200 million each year on cyber attack protection.
Even with with that kind of investment in cybersecurity protection, banks are still among the most attractive to hackers. In May, the New York State Department of Financial Services released a report stating that financial institutions of all sizes experienced attempted or actual intrusions over the past three years.
According to the New York Times, it is still speculated that Russia could be involved in the attacks. “That lack of any apparent profit motive has generated speculation among the law enforcement officials and security experts that the hackers, which some thought to be from Southern Europe, may have been sponsored by elements of the Russian government,”people with knowledge of the investigation said.