Despite assurances from JPMorgan Chase that what may be the biggest data breach to hit the U.S. financial sector did not compromise individual account numbers, experts say customers must be on guard.
Chase’s claim that hackers got client names, addresses and phone numbers — but not account information and passwords — should be “taken with a grain of salt,” said Avivah Litan, an analyst at tech research company Gartner.
Litan notes that it took Chase more than a month to initially detect the attack, which began in June. And it didn’t publicly acknowledge the break-in until September. Chase said Thursday it resulted in the theft of data on more than 76 million customers. The bank initially thought the breach had compromised about 1 million accounts.
It wouldn’t be surprising if more damage is uncovered as the bank and law enforcement continue to investigate. “Often you think they’re out of your system and they’re still there,” said Litan, who was a director of financial systems at the World Bank.
The analyst is particularly concerned about reports that the hackers gained root-level access to 90 Chase servers. Root-level access gives users full administrative privileges on a system. That means they can use it to gain access to other devices on a network. “They know exactly where the assets are and they can go after them,” said Litan. “You have to wonder why they stopped where they did — if they did.”
Litan isn’t the only expert concerned that the full extent of the breach is not yet known. Root-level access “gives the cybercrminals great potential to run malware on Chase systems, attack further in the future, and strike again at will to try to gain access to financial information as well as personal information,” wrote Rurik Bradbury, chief marketing officer at cybersecurity specialist Trustev, in a blog post.
Armed with a customer’s account numbers and passwords, along with their addresses and phone numbers, a fraudster could drain a victim’s assets within minutes. “It’s terrible news,” said Litan.
The breach has lawmakers calling for legislation that would remove barriers that prevent financial institutions from sharing information that would make it easier for them to combat cybercrime. Senator Angus King, I-Maine, is backing a bill that would allow banks to voluntarily share anonymized information about breached accounts. “The longer we wait to take action, the more vulnerable we become,” King said in a statement late Thursday. “The next Pearl Harbor will be cyber, and shame on us if we’re not prepared for it,” said King.
Meanwhile, some in Congress are calling for tougher penalties on financial institutions that fail to safeguard customer data. Senator Edward Markey, D-Mass., is pushing for passage of the Personal Data Protection and Breach Accountability Act, which among other things authorizes the attorney general to bring civil suits against banks with lax security.
In a separate incident, Chase last year told customers that hackers stole the personal information on 465,000 holders of prepaid cards issued by the bank. CEO Jamie Dimon earlier this year said the bank would spend $250 million in 2014 to upgrade security systems. Chase officials did not respond to a request for comment for this story.