Financial giant JPMorgan Chase is no longer investigating a possible cyberattack. The firm is now offering details about how bad the summertime breach really was.
Brace yourself because the news isn’t good, whether you are a Chase customer or not. It turns out the accounts of 76 million households were compromised in the attack. On top of that, another 7 million small businesses were compromised. The bottom line: It’s much, much worse than we thought.
In a Securities & Exchange Commission filing, the firm revealed that user contact information, including names, addresses, phone numbers and e-mail addresses were compromised. The silver lining in the dark data breach cloud is a lack of evidence that account information for affected customers, such as account numbers, passwords, user IDs, dates of birth and Social Security numbers were compromised.
The Even Worse News
JPMorgan Chase is one of many large breaches dominating the headlines these days. Mike Flouton, Vice President of Product Marketing at cloud security firm SilverSky, told us there are a few reasons for the upward trend.
“First, the bad guys are getting better and more bold, hitting bigger targets successfully,” Flouton said. “But an important, yet more subtle point is that large organizations like JPMorgan Chase, Target and Home Depot invest more in detection and response capabilities, and are in a much better position than a smaller retailer or community bank to notice a breach.”
While breaches often do leave telltale signs, Flouton said they are much more difficult to spot than broken windows and drilled vaults. From his perspective, it’s a safe bet that a staggering percentage of data breaches are never discovered — and when they are discovered are kept out of the news.
“Complicating things is that we, as a society, are becoming desensitized to data loss, and it takes increasingly larger breaches to capture our attention,” he said. “But the smaller breaches aren’t going away. They’re increasing in frequency and impact just like their larger brethren.”
What’s more, Todd Harris, director at network security company Core Security, told us breaches don’t need to involve credit cards to be damaging. Identity information is just as powerful and is pieced together by the black market to form full profiles from multiple sources, which go for big money. His advice: “Anyone affected still should proactively monitor his or her accounts for suspicious activity.”
How to Defend
Where do we go from here? Todd Feinman, CEO of secure computing firm Identity Finder, told us blocking every type of attack is an ideal but unrealistic and there needs to be more emphasis on knowing where the most sensitive data thieves want to steal is located and minimizing access to it.
“Organizations will usually have business requirements making it near impossible to 100 percent eliminate all forms of sensitive data but shrinking the footprint such that hackers and malware like Backoff have a smaller target to attack will significantly reduce the risk of exposure,” Feinman said.
He pointed to a “multitude of entry points” into an organization including remote access to the cloud — and that reality has blurred the concept of the security perimeter.
“This shifts the focus to a much more data-centric security model,” Feinman said. “Today it’s more about sensitive data management rather than security management. A 2013 Javelin research report found that financial institutions that have been breached can expect to lose a significant percentage of customers at 46 percent.”
NewsFactor Network