The massive data breach at JPMorgan Chase could have been prevented with a simple security solution, according to new data.
The company close to the investigation told the New York Times that the US-based bank and financial company pays approximately $250 million annually to secure its system. But the company is embarrassed that it suffered a breach due to employee negligence.
The bank became a victim of a cyberattack last year in late August. It was revealed in October that hackers managed to breach the data of 7 million small businesses and 76 million households.
The attack included the compromise of JPMorgan’s customers’ addresses, names, email addresses and phone numbers, as well as information about business line customers were affiliated with.
One compromised password was reported to be the root cause of the event. Things could have been prevented there, but the firm’s security team didn’t update one of its servers with two-factor authentication, according to anonymous sources referenced in the NYT report.
Two-factor authentication provides an extra layer of security access. In addition to a regular password, it sends a user a unique code to his/her smartphone. The single server at JPMorgan, without this feature, left the bank vulnerable to intrusion since it only required the hacker to enter login credentials and no secondary code.
Times says the bank is now conducting a top-to-bottom internal review with the aim to weed out security holes in its network, and make sure that it doesn’t face public embarrassment in the future.
JPMorgan Chase reassures that no social security numbers or account information were compromised in the breach. The information that was exploited could have been taken via phishing scams, such as calls purporting to be from the company and malicious email messages.
“These criminals accessed customer contact information, but no account information”, stated Patricia Wexler, a spokeswoman for the bank. “We have seen no evidence of fraud as a result of this”.
The bank states it will never ask its customers for personal information in a text message or email, so if you receive a suspicious message, report it to JPMorgan Chase. The bank also published a detailed guide to help customers pick phishing frauds.
When the attack was first reported in August, the FBI was investigating whether there was any involvement from Russia. The belief came from the fact that Russia wasn’t pleased with the US sanctions that came following the country’s actions in Ukraine. While that option was ruled out later, the origins of the attack remain unknown.
The bank’s antiquated systems have been purported as the entry point for the ease of the adversary’s entry. JPMorgan has integrated the networks of smaller financial institutions it has acquired over the years. An insider told the NYT that it’s not uncommon for old company names to randomly show up in JPMorgan URLs.
Apart from two-factor authentication, JPMorgan and other financial institutions can leverage external cyber intelligence solutions like Massive’s Strixus. Such an option enables financial firms to integrate real-time actionable intelligence in their security implementations for counter-measures and proactive actions against attacks to their digital infrastructure.