The recent hacking of JPMorgan Chase has shaken not only what Americans have come to expect from their banks, but what we as a country have come to rely on in terms of computer safety, data security, and the ability to instantly access our money. There is a price to pay for convenience, a price many of the American public paid this summer when their finances and personal information were threatened by a cyberattack that evaded notice for quite some time.
To date, over 83 million businesses and individual users were affected. However, experts caution that number is liable to rise.
Up until just a few weeks ago, JPMorgan executives maintained that only one million accounts were breached. Regrettably, that estimate was absurdly low, as new reports confirmed that nine other financial companies- companies which have yet to be named- were also hacked. Until all the details are made public, many consumers may still be at risk.
Thought to originate from Russia, the hackers gained entrance to JPMorgan’s computer system using administrative privileges, burrowing deep into the network for weeks at a time. While inside, they accessed over 90 servers with the names, addresses, phone numbers, and email addresses of account holders. They never made it into where the more critical financial and personal information are stored; however, they were able to determine the “type” of account- that is, whether an individual account was related to the bank or to a loan, and accessed files that showed how a consumer typically accessed their money. Most security experts agree that if the attack had persisted, the hackers would have ultimately reached customer funds and sensitive data like account passwords and Social Security numbers.
The unusual presence wasn’t detected until late July, when the hackers were ousted before transferring the data back to their own servers…..except, of course, for one file. Containing every application and program deployed within the JPMorgan system, this file might allow the hackers to cross reference with system vulnerabilities to find another backdoor entry point in the future.
Replacing this program is expensive and would lead to a prolonged period of system downtime, as the bank would be forced to renegotiate licensing and reenter applications. However, many people feel this extra precaution is a step worth taking, especially since the bank did not suggest their customers change their passwords. While there has been no evidence of any unauthorized fund transfers, experts agree that a more organized attack on several banks at once could instigate mass panic, or even another financial crisis that could tank the economy. Benjamin Lawsky, New York state’s top financial regulator, urges all bank officials to take this threat seriously, maintaining that “there needs to be far more urgency,” in managing the blowback.
JP Morgan is participating with the F.B.I. to launch a full investigation into the intrusion.
Protecting your Money and your Identity: What does all this mean for modern consumers and data security?
Pam Dixon, executive director of public interest research group World Privacy Forum, warns that the hackers may sell the JPMorgan file to others, or combine it with freely-available information gleaned from social media accounts or public records to craft clever phishing emails to convince customers to reply with their Social Security numbers, usernames, or passwords. Dixon cautions that these messages are not the typically easy-to-spot Nigerian prince scams, but legitimate-sounding requests that may be difficult to detect. All consumers should be diligent, and remember that reputable financial and service providers should not be requesting private information be sent over email, at least not unsolicited by the customer. If you believe you have received a fake email, do not reply, follow any included links, or contact the business using any provided contact information; only use phone numbers or email addresses you have looked up yourself on a search engine. When in doubt, always delete the email before opening it and ask the company to confirm the details. If your account gets hacked, you will not be made responsible for any false transactions, but you must contact JPMorgan immediately.
Even if no customer information was obtained, the sheer audacity and length of the JPMorgan attack illustrates just how much we’ve all come to rely on the digitized frontier, and how ill-prepared Wall Street institutions are to defend this new territory. Before the JPMorgan debacle went public in July, most consumers reported high confidence in their bank accounts’ security, and even data industry experts agreed that banks were “relatively safe” from online hacking attempts because of their standard security requirements. In the past, any data breach involving stolen customer information was limited to PIN number phishing online or via duplicate card readers skimming account information at the ATM, a much clumsier attempt at identity theft. This disturbingly sophisticated effort to go right to the source- a bank’s internal database- has drawn a clear line in the sand. Banks and other Goliath institutions must do more to safeguard consumer data.
In terms of legal protections, legislators are also working towards a unified solution, or at the very least, mandatory guidelines for when, how, and to whom banks need to report a breach to. As of yet, laws about transparency and consumer reporting are vague. Companies are only required to inform their state’s attorney general’s office and customers about any digital violations without “unreasonable delay,” leaving the company room to disclose on their own timelines, sometimes delaying up to a year after the information was stolen. This is, of course, assuming there was actual financial loss associated with the breach. Most states don’t mandate that a company report anything at all unless the incident involved a credit card number or something similarly damning.
Unsurprisingly, this flip treatment towards consumer knowledge leaves the American public feeling exposed. In the age of the internet, it is frustrating that recent attempts at enacting a country-wide law have garnered little support, even though the banks themselves share information which each other about the breaches.
Concerned consumers should consider freezing their credit, which prevents anyone- even you- from opening an account in your name until you have contacted each of the three credit bureaus (Equifax, Experian, and TransUnion) and supplied a password and/or paid a small fee to lift the freeze. While certainly a hassle, it’s easier than trying to undo any damage by an identity thief. Checking your free credit report annually and reviewing every charge on your credit card bill can also help catch fraudulent transactions before they spiral out of control.
While JP Morgan may have dropped the ball this summer, most security experts have faith this issue can be prevented in the future. “Everybody is pretty terrible at cybersecurity, but financial firms and defense contractors have it together the most. When you consider the size of the targets painted on their backs, the one or two incidents that you’ve heard about implies that they are doing a really good job, because you can imagine how many people are trying to steal their information,” explained Chester Wisniewski, senior adviser for the well-known software security company, Sophos. Data breaches are part and parcel of the risks we take when we participate in the digital world.
One thing remains clear: data security is an increasingly-complicated issue that everyone needs to worry about.
To read more on the recent cyberattack, please visit The Washington Post and the New York Times.
