JPMorgan Chase was hit with a computer attack on its servers in August that saw hackers make off with the banking data of 76 million households and 7 million small businesses. The raid supposedly started with just a single compromised password, and it all could have been prevented with a basic computer security measure called two-factor authentication, according to a published report.
Two-factor authentication is an identity verification mechanism that relies on a second means to confirm that an individual has permission to access a device or data file. For example, a password might be the first test, followed by a biometric safeguard such as a fingerprint. In the case of JPMorgan, IT staffers forgot to upgrade a key server to a system that would have required two passwords for access, the New York Times reported Tuesday.
Millions of the financial giant's customers paid the price by having their personal information compromised. The breach is now the subject of an internal investigation at the bank, the newspaper said, citing unnamed sources within JPMorgan.
JPMorgan maintains that the affected data “only” consisted of email passwords, home addresses and phone numbers.
Experts say they'd be surprised if the lapse does not carry consequences for the bank’s security personnel. "If JPMorgan was maintaining its own network, I don't want to be the one to say people should lose their jobs," said Christopher Kusek, CTO of networking and security company Xiologix. "If it were outsourcing its network security to a third party, there should be some monetary ramifications."
The avoidable breach was a significant one, though there's no sign that the perpetrators have since used the stolen information for financial gain. “These criminals accessed customer contact information, but no account information. We have seen no evidence of fraud as a result of this," JPMorgan spokeswoman Patricia Wexler told the Times.
In a bit of stunt journalism that effectively demonstrated the strength of two-factor authentication, Wall Street Journal columnist Christopher Mims publicly shared his Twitter password earlier this year. It was just his name, "christophermims," but as his Twitter account was configured to require a numerical code upon sign-in, no one could access it. In JPMorgan’s case, $250 million spent on IT security wasn’t enough to guard against carelessness.
Representatives for the bank did not immediately return a call seeking comment.