Cybersecurity mystery at JPMorgan Chase: What were hackers after?
| New York
The online security breach of JPMorgan Chase has raised puzzling questions about what the overseas hackers were after 鈥 and has pointed up just how steep the challenges are to keep information safe online.
In the JPMorgan Chase incident, which is one of the largest online security breaches in history, the hackers were able to access the contact information of 76 million households and 7 million small businesses having accounts with the banking behemoth, the company disclosed Thursday.
The massive incursion, however, has confounded investigators and other cybersecurity experts since only names, mailing addresses, e-mail addresses, and phone numbers appear to have been taken. And so far, there is no evidence that the hack was used to steal funds or gather sensitive account information.
In a with the US Securities and Exchange Commission on Thursday, JPMorgan Chase, the largest US bank with nearly $2.5 trillion in assets at the end of 2013, said there was 鈥渘o evidence鈥 that the hackers accessed account numbers, passwords, user IDs, dates of birth, or Social Security numbers.
But company officials were aware of the breach since July, when they said only 1 million customer accounts were compromised. Thursday鈥檚 revelation that the number was actually 83 million shocked cybersecurity experts around the nation.
鈥淚 think 鈥榗razy鈥 is just the way to describe it 鈥 I mean, it鈥檚 almost inexplicable,鈥 says Fred Cate, former director of the Center for Applied Cybersecurity Research at Indiana University in Bloomington. 鈥淪omebody used a sophisticated technique, we鈥檙e told, to break into this major international bank, and all they took were names and addresses?鈥
Adding to worries is the fact that the hackers, which investigators suspect may have come from Russia or Eastern Europe, , were able to access more than 90 JPMorgan Chase servers for nearly two months before they were detected, and they had obtained the highest level of administrative privileges, .
鈥淚t鈥檚 entirely possible the bad guys weren鈥檛 even after the information, they were after something else,鈥 Brian Krebs, a cybersecurity investigator, . 鈥淚f they have a month inside your network and they have time to cover their tracks, it could be difficult to find out what they touched.鈥
The hack at JPMorgan Chase comes after a series of troubling data breaches at some of the nation鈥檚 largest retail chains. Last year, hackers were able to access the information of 40 million credit-card and other card holders at Target, as well as 56 million this year at Home Depot.
Other companies, including the sandwich chain Jimmy John鈥檚, the supermarket chain SuperValu, and a number of health-care providers have also this year.
鈥淢ore than anything, it just raises this control question,鈥 says Mr. Cate, who is also a professor at Indiana University鈥檚 Maurer School of Law. 鈥淎re our data in control anywhere? It鈥檚 not that we鈥檙e not winning the war 鈥 we don鈥檛 even know how bad the casualties are right now.鈥
鈥淛PMorgan Chase, both for legal reasons and for competition reasons, I think we can assume had pretty good security,鈥 he continues. 鈥淎nd we think of banks as having better security than retailers, for example. Yet when you see a bank breached at this level, with this number of [customers] and at this duration, it really does suggest that we鈥檙e not on top of this.鈥
The battle against hackers, say cybersecurity experts, is a 24/7, 365-day-a-year arms race as new and sophisticated methods of infiltrating networks are constantly evolving. Some 鈥減hishing鈥 attacks have been known for decades, but newer, much more advanced 鈥渕alware鈥 can sneak into networks undetected.
And the United States lacks a centralized, mandatory database of malware 鈥渟ignatures鈥 鈥 the telltale signs of a malicious hack that allow security experts to set up firewalls against them nationwide, experts say.
鈥淜nowing about this breach would certainly make every other bank in the country go back and look for the very same signatures of this type of breach,鈥 says Cate. 鈥淎nd you鈥檇 like to think this kind of information would be provided, at least to regulators, as quickly as possible 鈥 in hours or days, not months.鈥
