BreachExchange mailing list archives
JPMorgan data breach likely due to basic security lapse
From: Audrey McNeil <audrey () riskbasedsecurity com>
Date: Wed, 24 Dec 2014 20:10:33 -0700
http://www.todayonline.com/tech/jpmorgan-data-breach-likely-due-basic-security-lapse The computer breach at JPMorgan Chase earlier this year — the largest intrusion into a United States bank to date — might have been thwarted if the bank had installed a simple security fix to an overlooked server in its vast network, said people who have been briefed on internal and outside investigations into the attack. Big corporations such as JPMorgan spend millions — US$250 million (S$331 million) in the bank’s case — on computer security every year to guard against increasingly sophisticated attacks such as the one on Sony Pictures. But the weak spot at JPMorgan appears to have been a very basic one, the people said. The attack against the bank began last spring, after hackers stole login credentials, these people said. Still, the attack could have been stopped there. Most big banks use a double authentication scheme, known as two-factor authentication, which requires a second one-time password to gain access to a protected system. But JPMorgan’s security team had apparently neglected to upgrade one of its network servers with the dual password scheme, the people briefed on the matter said. That left the bank vulnerable to intrusion. The oversight is now the focus of an internal review at JPMorgan that seeks to identify whether there are any other unguarded holes in the bank’s vast network, several of the people briefed on the matter said. The relatively simple nature of the attack puts the breach in a new light. In August, when Bloomberg News first reported on the attack, which ultimately compromised account information for 83 million households and small businesses, the bank’s security experts and the Federal Bureau of Investigation feared a sophisticated adversary. It is not known where the attack originated. The bank maintains that the damage to customers was limited to the theft of email passwords, home addresses and phone numbers. “These criminals accessed customer contact information, but no account information,” said Ms Patricia Wexler, a bank spokesperson. “We have seen no evidence of fraud as a result of this.” The revelation that a simple flaw was at issue may help explain why several other financial institutions that were targets of the same hackers were not affected nearly as much. To date, only two other institutions have suffered some kind of intrusion, but those breaches were said to be relatively minor by people briefed on the attacks.
_______________________________________________ Dataloss Mailing List (dataloss () datalossdb org) Archived at http://seclists.org/dataloss/ Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss For inquiries regarding use or licensing of data, e-mail sales () riskbasedsecurity com Supporters: Risk Based Security (http://www.riskbasedsecurity.com/) YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus on the right security. If you need security help or want to provide real risk reduction for your clients contact us!
Current thread:
- JPMorgan data breach likely due to basic security lapse Audrey McNeil (Dec 26)