Why the JP Morgan Data Breach Is Like No Other

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.theatlantic.com/business/archive/2014/10/why-the-jp-morgan-data-breach-is-like-no-other/381098/

Another month, another report of a large corporation failing to keep
customer information secure. This time, it's JP Morgan reporting that 76
million households and 8 million small business were exposed in a data
breach. At this point, it's understandable if the news doesn't cause much
alarm.

To get psychological about it, it's a classic case of habituation: The
first time we experience something we pay close attention, but as it
happens again and again, we simply stop noticing. The first time your bank
calls you and tells you to replace your credit card, it's worrying. The
fifth or sixth time, it's annoying.

But hear us out: This JP Morgan Chase breach should freak you out, even if
you don't bank with them. Previous data breaches have largely been confined
to retail companies (Target, Home Depot etc.), where brands are required to
meet basic security protocols and not much else. "Retailers are known to be
cheap," Paula Rosenblum, managing partner at Retail Systems Research, said.
"But it gives me much more pause when it happens to a bank.”

Banks have much more sensitive information about their customers than any
retail operation, everything from social security numbers to detailed
records of past spending. So far, JP Morgan reports that only limited
personal information, such as names, phone numbers, and addresses, were
stolen, insisting that Social Security numbers, banking information, and
other data remain safe. "I’m assuming that [that information] is
encrypted," said Rosenblum. "If not, then Katy bar the door.”

Then there's the sheer scale of the breach. Let's repeat: Seventy-six
million households and 8 million small business were exposed. According to
The New York Times, JP Morgan believed only one million accounts were
affected a few weeks ago. So there's the possibility that the number may
rise even further.

But for those exposed by JP Morgan's data breach, personal information
leaks mean months of guarding against identity theft. "There's now a
potential array of fraudulent activity possible without the consumer even
knowing," Jeremy Edwards, lead analyst at IBISWorld, said. "If you get a
phone call that seems like it's coming from a financial institution with
your information, you're more likely to believe the scammer.”

In addition, the past two decades consumers have flocked towards one-stop
shop megabanks and away from smaller regional chains, which means that
there are few options for those seeking a more secure bank. "There’s no
real reason to think that Bank of America will have better systems than JP
Morgan," said Edwards. JP Morgan, according to Edwards, was seen as being
one of the best at security. If they can get hacked, so can just about
anyone.

In the near-term, the JP Morgan breach will be an ongoing headache for the
bank and its customers. The bank, which reports that hackers gained access
to root access to many of its servers, will have to essentially strip out
and replace much of its internal IT infrastructure, a process that Edwards
estimates could take "months at the least." During that time, JP Morgan
customers will have to monitor their own finances more closely than they
would have in the past.

But according to Georgetown professor of law Adam Levitin, there's really
no way from preventing this type of attack from happening again. "JP Morgan
spends crazy amounts of money on IT security and yet they can still be
hacked," he said. "There’s really no way you're can be connected to the
Internet and keep things safe."

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!