Last week, JPMorgan Chase grabbed headlines for suffering a major breach that exposed 76 million household accounts and seven million small businesses.
The attack on the major bank has been one of the most successful attacks of its kind, pushing politicians and lawmakers from all of the US to speak in favor of cyber legislation, using the attack to support their legislation of choice.
The hack affected JPMorgan Chase online services, including its website and smartphone app. The affected credentials were phone numbers, emails, addresses and names – enough to conduct sophisticated phishing attacks.
Hackers in Russia and Eastern Europe are at the top of the FBI’s current suspect list for being behind the attack. The timing of the attack increased suspicions of economic warfare; after the rising tensions between Ukraine and the West over economic sanctions.
“The longer we wait to take action, the more vulnerable we become, and as we’ve seen today, Americans will pay the price,” Sen. Angus King stated last week after hearing about the breach.” He also added:
“Congress must work to pass legislation that will improve our capabilities and protect us against more attacks like these. The next Pearl Harbor will be cyber, and shame on us if we’re not prepared for it.”
The notion comes after the PIPA and SOPA anti-privacy legislations Congress has been trying to pass for years. The fear-mongering tactics dates back to the aftermath of 9/11 attack, when Congress utilized similar reasons to pass anti-privacy Patriot Act legislation.
Sen. King is talking about passing the CISA (Cyber Information Sharing Act) bill; which gives companies incentives to share information they gather freely. If companies are attacked after sharing this information, they won’t be held liable for the breached information. This free sharing of information will also help the government combat attacks.
Here’s an excerpt from the bill:
“The new, 39-page draft bill, written by Sen. Dianne Feinstein (D-Calif.), chairman of the intelligence committee, and Sen. Saxby Chambliss (Ga.), the ranking Republican, states that no lawsuit may be brought against a company for sharing threat data with “any other entity or the federal government” to prevent, investigate or mitigate a cyberattack.”
If this bill could indeed thwart attacks, it can lessen the damage caused by a hack on large institutions like JPMorgan Chase. In this case, misuse of information or theft of more credentials may have led to devastating results. The bank has 68.5 million open accounts and is the largest issuer of credit cards in the US. It also hosts 30.1 million checking accounts, and the Chase.com annual report states it is the most visited financial services website in the country.
The financial industry is taking the threat seriously as the WSJ reported that the same hackers tried to infiltrate other financial institutions; many reported seeing traffic to their networks from suspect IP addresses, but did not believe their systems were hacked. The Journal also pointed out that there are disagreements between federal officials about the extent of the access gained by hackers.
JPMorgan itself is planning to spend $250 million annually to bump up security. Most media outlets are rooting for the cyber legislation, but it has come under extreme criticism from privacy advocates and regulators, stating that sharing of information between intelligence agencies and the corporate sector would lead to invasion of privacy.
Nextgov cites Adam Levitin, Georgetown professor, stating:
“JP Morgan spends crazy amounts of money on IT security and yet they can still be hacked,” he said.
CISA bill and investment in security may prevent some damage, but perhaps the best route to prevent hacks like the one JPMorgan suffered would be a solution that provides aggressive mitigation and prevention options along with the technical means to effectively shut down and investigate the source of the threat. This could be the best way for financial institutions to survive in the global threat landscape.