See Also: Data Center Security Study - The Results
Here's why: As part of the attack, hackers accessed personally identifiable information stored by Chase about some 76 million households and 8 million businesses. That means Chase's hackers have all the information they need to wage sophisticated spear phishing campaigns that appear to be from the bank.
It's time for everyone to re-stack the risk management template used to prioritize what data we protect and how.
The breach at Chase is a chilling reminder that banks and credit unions can't just focus on protecting card data and online banking accounts; they also must protect their customers' personal information.
As one executive with a U.S.-based financial institution, who asked to remain anonymous, told me: "We have so much data to protect that we prioritize and rank our efforts. We treat PCI-DSS [for payment card data] as the ultimate and first level of protection, customer account information as the second level, and customer name, e-mail and address as the 'we'll get to that in a minute' level."
Many banks are layering up security for data they deem "sensitive." But it seems they're not making as great an effort to protect PII.
"A list of valid bank customers' e-mails, phone numbers and addresses is significant," says the bank executive. "The call to action is to recognize that even a large breach of what is deemed 'less valuable' information is often more valuable than thought, and the cost of a breach of this 'less valuable' information is not always less - just ask the CFO at Chase as he adds up the cost of reputational and privacy impacts. It's time for everyone to re-stack the risk management template used to prioritize what data we protect and how."
This is why banks, and all organizations for that matter, have to encrypt PII data, just like they would card data and other sensitive information.
The New York Times reports that in addition to Chase, nine other financial-services companies were breached by a Russian-based hacking group (see Beyond Chase: 9 More Banks Breached?).
At this point, we don't know if those allegations are true, and if similar information may have been exposed. But we do know that banks across the nation spend big bucks every year on cybersecurity and regulatory compliance. In fact, Chase said long before news of its breach broke that it planned to spend more than $250 million by the end of 2014 on information security - a monetary investment it expects to make annually going forward.
But banks have to ensure that they spend their money wisely, including taking adequate steps to protect PII. Like Chase, many other institutions could fall victim to hackers and expose personal information about their customers.
Without the right investments, in technology and personnel, banking institutions are going to continue to miss the security mark.
FIS' Peter Gordon on why protecting PII is so critical.
"Really, it's about creating a layered service environment," says Peter Gordon, a senior vice president at core banking services provider FIS. "There is not just one solution - it's about layers of defense."
FIS has spent more than $300 million to shore up its own security defenses over the last three years. In 2011, FIS' prepaid card network was breached and several of its more than 14,000 global banking institution customers were impacted (see Mitigating Third-Party Risks).
Fear of Phishing
"With the JPMC breach, the bad guys now have a much more powerful phishing message via e-mail, phone call or direct mail," says the unnamed executive. "Imagine the e-mail that now includes your name, your e-mail address and your physical address asking you to please log in to the online banking website of said-institution, asking you to update your information to ensure you are safe from the attack. The bad guys just got enough information to make consumer phishing credible again."
In the thriving world of social media we live in today, it's becoming increasingly difficult to keep personal information out of fraudsters' hands. None of us wants the bad guys to have too much information, so as banking leaders, the onus is on you to protect it where you can.