According to a recent SEC filing by JPMorgan Chase (JMPC), a cyber attack on the company that had previously been estimated to have affected about 1 million customers has in fact impacted a total of approximately 76 million households and 7 million small businesses.
In a FAQ at chase.com, the company states, “You were affected if you used the following Web or mobile services: Chase.com, JPMorganOnline, Chase Mobile or JPMorgan Mobile.”
The attackers breached 90 of JPMC’s servers, effectively giving them high-level admin privileges in the bank’s systems.
The Wall Street Journal reports that JPMC COO Matt Zames recently sent a memo to employees reminding them to ensure that they’ve “fortified” their own defenses by logging off workstations, using complex passwords, and changing passwords regularly.
The good news is that it appears that the only data stolen was contact information — names, addresses, phone numbers and email addresses — and “internal JPMorgan Chase information relating to such users.” No financial information, passwords, or Social Security numbers appear to have been compromised.
Still, Malwarebytes Labs head of malware intelligence Adam Kujawa noted by email that the stolen contact information could be leveraged, in conjunction with user credentials stolen in other breaches, to enable criminals to verify themselves falsely as a valid user.
“In addition, probably the biggest issue victims will come in contact with is the likely flood of spam and phishing attacks,” Kujawa said. “Using personal information like name, phone number, address, e-mail and the fact that these victims had accounts with JPMC means that attackers could send personalized phishing attacks to these users, pretending to be Chase and asking for login credentials.”
Nick Akerman, partner at the law firm Dorsey & Whitney, said by email that something needs to be done to motivate companies to improve cyber security. “I would be in favor of making the negligent failure to protect data a federal misdemeanor, just like it is a federal misdemeanor for individuals and companies who are negligent in polluting our waterways,” he said. “Using the federal criminal law to create this kind of incentive to protect valuable computer data is needed to force companies and individuals to treat the protection of data as a the serious issue it is.”
In last year’s annual letter to shareholders, JPMC CEO Jamie Dimon wrote, “By the end of 2014, we will have spent more than $250 million annually with approximately 1,000 people focused on the effort. This effort will continue to grow exponentially over the years.”
“We’re making good progress on these and other efforts, but cyberattacks are growing every day in strength and velocity across the globe,” Dimon added. “It is going to be a continual and likely never-ending battle to stay ahead of it — and, unfortunately, not every battle will be won.”