SAN
FRANCISCO — The cyberattack on JPMorgan Chase & Co., first announced in
July, compromised information from 76 million households and 7 million small
businesses, the company revealed Thursday in a filing with the Securities and
Exchange Commission.
Contact
information, including name, address, phone number and e-mail address, as well
as internal JPMorgan Chase information about the users, was compromised, the
filing said. However the bank said no customer money appears to have been
stolen.
JPMorgan said "there is no evidence
that account information for such affected customers — account numbers,
passwords, user IDs, dates of birth or Social Security numbers — was compromised
during this attack."
The attack is one of the largest
corporate breaches thus far reported.
More chillingly, a report Thursday in
The New York Times said that the hackers were able to gain "the highest
level of administrative privilege" on more than 90 of the bank's servers,
according to people the newspaper spoke with who were familiar with the forensic
investigation of the breach.
That means they "had root" on
the servers of one of the largest banks in the world — they "could
transfer funds, disclose information, close accounts, and basically do whatever
they want to the data," said Jeff Williams, chief technology officer with
Contrast Security in Palo Alto, Calif.
In its SEC filing, JPMorgan said as of
Oct. 2 it had not "seen any unusual customer fraud related to this
incident."
"This is a truly remarkable attack,
but not just in its scope — hackers successfully penetrated one of the most
secure organizations on this planet and they stole absolutely nothing of value
— no money, no Social Security numbers, no passwords," said John Gunn,
with Vasco Data Security International in Chicago.
"Persistence like that, with no
stolen money, is due to a future planned operation — or that the objective was
to identify data that was material in some other aspect," said J.J.
Thompson of Rook Security in Indianapolis.
"This could be to track down a
person of interest by observing financial transaction locations, to plans
future large scale disruption when they know their competitor plans to wire
funds to close a deal, or any other odd scenario you could see on (the TV show)
'Blacklist,'" he said.
JPM shares were down 0.89% in
after-hours trading.
Whether there really was an attack or
not, consumers should beware of "piggyback attacks" in which
criminals launch social engineering attacks making use of customer anxiety
after reports of a big-name breach.
"The usual advice applies: If you
get an e-mail or a call from a JP Morgan rep, feel free to thank them for
contacting you and hang up. Customers should always initiate that contact by
looking at their credit card or statement for the contact number; you simply
can't trust that an incoming call or e-mail is legitimate and not a phishing
attempt," said Tod Beardsley, engineering manager with security firm
Rapid7.
Source: usatoday.com
No comments:
Post a Comment