JPMorgan: Hackers Had Access to 90 Servers for Two Months

Amid all of the retail data breaches that have been making headlines for the last year or so, the revelation earlier this month that JPMorgan Chase was the victim of a massive compromise that affected millions was even so a bit shocking for the general public. But new details are emerging, showing that the attackers were able to knock around the network for at least two months before being discovered.

As many as 76 million households and seven million businesses were affected by the incident. The bank admitted in an SEC filing that hackers stole contact information such as name, address, phone number and email addresses, as well as unspecified “internal JPMorgan Chase information relating to such users.” So far, it claims that it has not seen any “unusual customer fraud” in the aftermath.

According to unnamed sources inside the investigation that spoke to the New York Times, hackers were able to gain a high level of system privileges on more than 90 servers. The attack began sometime in June and went through August.

Federal authorities believe that the perpetrators, who are likely part of a Russian cyber-gang, were motivated by financial gain and were not state-sponsored. But so far, investigators are at a loss to determine just how the hackers got in.

The infamous Target hack began via the network of an HVAC contractor for the retailer. So it was a red flag that JPMorgan first noticed an intrusion on its Corporate Challenge website, before discovering the larger compromise. The challenge website is run by an outside vendor for the bank on a server maintained by an Internet firm in Ann Arbor, Mich. Even so, the Feds have ruled out this as an infiltration vector to the broader network.

Nonetheless, the Treasury Department now plans to beef up oversight when it comes to outside vendors for financial institutions, including law firms, accounting and marketing firms and “even janitorial companies,” the Times said.

Another source said that New York State’s top financial regulator, Benjamin M. Lawsky, is mulling a new rule requiring banks to “obtain representations and warranties” from vendors about the adequacy of their cyber-security profiles. The Times said that Lawsky has already sent a letter on Tuesday to dozens of banks requesting that the firms provide “any policies and procedures governing relationships with third-party service providers.”

“It is abundantly clear that, in many respects,” Lawsky said in the letter, “a firm’s level of cybersecurity is only as good as the cybersecurity of its vendors.”

The attack on JPMorgan was part of a larger offensive against as many as 13 financial services firms—a fact that is certainly stoking the fires of regulators on this subject.

Photo copyright © Gil C

What’s Hot on Infosecurity Magazine?