Personal information for up to 465,000 customers of JP Morgan, Chase & Co. may be at risk after hackers breached its network in July, the bank has admitted – and has issued warnings to state officials and cardholders across America.
The breach affects prepaid cards, specifically the bank’s Ucards, according to Reuters. Hackers breached the the bank’s www.ucard.chase.com servers, and accessed data, possibly including unencrypted information.
Speaking to Reuters, bank spokesman Michael Fusco said that the company was investigating which accounts were affected, and said that the bank is notifying those at risk. Users of Ucard – commonly used to distribute tax refunds and government benefits – will be notified via email.
“Seems to me that the last few years have established that no-one is too big, too powerful, or too well-secured to suffer an attack or leakage,” says ESET Senior Research Fellow David Harley.
“Security companies like RSA and defence-oriented companies like the big aerospace enterprises (not to mention certain government agencies) put a lot of resource into security and still get breached. It could be argued that some kinds of attack –especially those with an element of social engineering, targeted phishing and so on – are more likely to be successful in large organizations.”
Ucard users account for around 2% of the bank’s customers, Fusco said, and refused to rule out the possibility that personal information was stolen in the attack. Such information is usually stored in encrypted form, but the bank admitted that hackers may have briefly had access to computer logs containing information in plain text, according to Opp Trends.
The IB Times reported that the bank said “only a small amount of information” had been accessed – and said that customers’ social security numbers and birth dates were not at risk. The bank admitted, according to IB Times, that such information was briefly available in plain text in computer log files.
So far, there has been no evidence of the information being used fraudulently, JP Morgan said, but the bank is continuing to investigate. JP Morgan declined to explain how the breach occurred.
Fusco said, “In the months since the breach was discovered the bank has been investigating to find out exactly which accounts were involved and what pieces of information could have been taken.”
JP Morgan officials notified state agencies in Louisiana of the breach, as up to 8,000 residents may have been among those affected, according to local news service KATC.com.
The breach may have affected Louisiana residents issued cards for tax refunds, for child support benefits, and unemployment benefits, and affects those who registered cards between July and September this year, according to Commissioner Kirsty Nichols.
“We will be working with law enforcement officials as this investigation continues,” Nichols said, speaking to The Advocate. “We will hold JPMorgan Chase responsible to make certain that the rights and personal privacy of these Louisiana citizens is protected.”
ESET’s Harley says that raising awareness among employees is the best defense against such attacks (although he points out that JP Morgan is yet to reveal details of this particular incident. Harley says the current attack is evidence that large organizations can face problems due to their sheer scale.
“Thoroughgoing training, education, policy enforcement and so on raises awareness of psychological manipulation and the kind of apparently innocuous information sharing that can be built into a data aggregation attack,” Harley says, “But the bigger the organization, the more difficult and expensive it is to ensure that everyone gets the full benefit of those measures.”
“In a small organization, people are likelier to know each other well enough to recognize a message that doesn’t ring quite true, though that doesn’t mean they’ll always deal with the situation appropriately. In a big company, it’s far from uncommon for an individual to be contacted by someone they may never have met or even heard of, and it’s harder to pick up on those personal and procedural cues and clues that might alert them to something off-key.”
“At the same time, large organizations are required to conform to some transparency about what they do and who works there – maybe some organizations more than others… – which makes it easier for a determined attacker to gather intelligence that will help with the attack.”
Author Rob Waugh, We Live Security