A JP Morgan employee’s personal computer was used to breach the banks network, according to a Wall Street Journal report on Thursday. Access to the PC enabled intruders “to leapfrog to additional data because the machine accessed had administrative privileges.”
There are now at least 13 other financial institutions linked to the security breach at JP Morgan. It was originally reported the hackers only targeted five banks. A source close to the investigation told Businessweek that computers used by hackers in the JP Morgan attack were linked to other possible probes at various financial institutions.
Companies now named in the investigation include Citgroup Inc., HSBC, E*Trade, Regions Financial and Automatic Data Processing. Signs of intrusion were detected but stopped by technology that was already in place. Last week, JP Morgan reported in a regulatory filing that over 76 million customer accounts were affected by the intrusion.
Multiple law enforcement agencies are now investigating including the Federal Bureau of Investigation, National Security Agency, Department of Homeland Security, US Attorney’s office in Manhattan and New York’s Department of Financial Services.
Having measures in place to prevent hacking in the first place is the best strategy to prevent leaking sensitive data. In a conversation with the WHIR on Thursday, Andrew Avanessian, EVP of Avecto Consultancy & Technology Services, said there are generally commonalities between the kinds of breaches at companies like JP Morgan, Target and Home Depot. Implementing simple security measures such as administrative privileges and blocking all programs that aren’t whitelisted takes care of most potential security holes. These are among some of the suggestions made by the Council on Cybersecurity.
Avanessian says that many breaches aren’t caused by malware or something that’s been downloaded to machines.
“There’s always a common theme for me that spreads across all of these things; it’s the approaches they take to their security posture which for me is the reason they get breached,” said Avanessian. “The data breaches are simple IT administration tasks that are carried out. Look at Target for example, I think it was like 12 steps the hackers took to breach their environment and only two of those steps actually involved a piece of malware payload been downloaded onto the machine. The rest of the activity was IT administration tasks carried out day in day out by administrators.”
This seems to be exactly the case with JP Morgan since an employee’s computer with administrative privileges was the original source of the breach.
“So the key takeaway for me is that what lots of organizations try to do are to be detectives. They try to look for odd activity in the environment, they try to detect the bad guys doing something; which you’re always two, three or more steps behind the bad guy,” Avanessian says. “One of the things we always abdicate, and I’m astounded how many times this holds true in all of these breaches that come out in the media is that you take a proactive approach to security lots of the times these issues these attacks simply would not be the case if those organizations were very proactive about their security rather than reactive.”
For at least some of financial institutions probed, existing security measures prevented the hackers from breaching its network. ADP noticed activity from the same criminals but reported no breach from the scan of its defenses. Others weren’t so lucky. Fidelity reported hacking in relation to the JP Morgan attacks. Fortunately, no customer data was taken.
“We have no indication that any Fidelity customer sites, accounts, information, services or systems were affected by this matter,” a Fidelity spokesman said.