US bank JPMorgan has admitted that a cyber attack disclosed back in August was much more serious than at first thought, with as many as 76 million households and seven million businesses affected.
The bank said in an SEC filing that contact information such as name, address, phone number and email address had been exposed in the attack, as well as unspecified “internal JPMorgan Chase information relating to such users.”
However, it was at pains to point out that “there is no evidence” that bank account information was compromised, and it claimed that so far it has not seen any “unusual customer fraud” related to the incident.
“JPMorgan Chase customers are not liable for unauthorized transactions on their account that they promptly alert the Firm to,” it added
“The Firm continues to vigilantly monitor the situation and is continuing to investigate the matter. In addition, the Firm is fully cooperating with government agencies in connection with their investigations.”
News first emerged back in August that JPMorgan and four other banks had been hacked by a group of Russian cybercriminals, although at the time it estimated that only around one million accounts had been affected.
The new revelations make this data breach one of the worst of its kind ever.
Check Point UK managing director, Keith Bird, warned customers to be aware of potential phishing attacks in the wake of the breach.
“Attackers will try and trick customers affected by the breach into revealing more details, such as account numbers and passwords,” he added
“For the attackers, it’s just a numbers game, but it could have serious consequences for customers. Phishing emails continue to be the most common source for social engineering attacks.”
Chris Boyd, malware intelligence analyst at Malwarebytes, claimed the data stolen is a “spammer’s gold mine”
“If any of the 76 million affected have had other data leaked in the past, it would be easy for those behind this attack to build up a robust picture of their targets and throw a little social engineering into the mix, making the emails seem less random and the phone calls more persuasive,” he added.
Tim Erlin, director of IT security and risk at Tripwire, argued that other banks should take this opportunity to look at their own cyber defenses.
“While there’s little doubt that JP Morgan has taken action since the original incident was reported, the size and complexity of their network means they are unlikely to have rolled out new protections comprehensively by now,” he added.
“In situations like this, time is always the enemy.”