The bank’s security team had failed to implement two-factor authentication on one of JPMC’s network servers, leaving it vulnerable to the attack.
The New York Times says the fact that the breach came down a simple authentication flaw could explain why other financial institutions that were similarly targeted were not impacted as heavily as JPMC.
According to an October 2014 SEC filing, the breach impacted approximately 76 million households and 7 million small businesses. The hackers breached 90 JPMC servers, gaining high-level admin privileges.
“You were affected if you used the following Web or mobile services: Chase.com, JPMorganOnline, Chase Mobile or JPMorgan Mobile,” the bank stated at the time.
Still, JPMC says the actual impact of the attack was relatively limited, due to the fact that the attackers only obtained customer email addresses, home addresses and phone numbers.
“These criminals accessed customer contact information, but no account information,” JPMC spokesperson Patricia Wexler told the New York Times. “We have seen no evidence of fraud as a result of this.”
The New York Times notes that the breach is still under investigation by federal prosecutors and several state attorneys general — JPMC’s legal department recently advised several of its technology and cyber security employees not to “destroy or delete” any documents connected to the breach, which likely indicates that the bank had received a subpoena or request for documents.
Rapid7 global security strategist Trey Ford told eSecurity Planet by email that the nature of the JPMC data breach makes it clear that more needs to be done to protect organizations from compromise.
“We know attackers pursue access though all kinds of means, including phishing,” Ford said. “We know attackers are stealing and using credentials, in particular administrative credentials or accounts. Until companies divorce the belief that users and accounts are the same thing, and begin monitoring account usage, vigilantly searching for compromised account usage, this trend of breaches will continue.”
“Compromised credentials have been a factor in the vast majority of breaches, including Sony and Target, based on the information that has been shared to date,” Ford added. “Once an attacker has a privileged credential, they can usually access sensitive data and escape most incident detection solutions because they appear as a valid user to those detection solutions. This is how attackers are staying undetected in organizations for days, months and sometimes even years.”