JPMorgan Chase: No New Cyber-AttackBank Says Report of Second Breach Is Inaccurate
(For the latest update on the JPMorgan Chase breach, see: Chase Breach Affects 76 Million Households).
See Also: 2016 Social Engineering Report
JPMorgan Chase labels as inaccurate an Oct. 2 New York Times report about a second data breach against the financial institution.
"The story is false," JPMorgan Chase spokeswoman Patricia Wexler tells Information Security Media Group. "We are not aware of any new breach."
The Times updated its story and revised the headline after Chase issued its statement. Citing "several people with knowledge of the investigation," the newspaper reported the nation's largest bank was, for the second time in three months, "scrambling to contain the fallout from a security breach of its vast computer network."
According to the report, JPMorgan Chase recently found that hackers, with potential links to Italy or southern Europe, had gained entry to some of the bank's servers.
"It is unclear whether the latest discovery constitutes a second breach or is part of the broader fallout from the first incident," the Times reported.
Experts Offer AnalysisTom Kellermann, chief cybersecurity officer at Trend Micro, says once attackers infiltrate a network, it's easy for them to get back in. While he has no direct knowledge about the circumstances surrounding the June breach Chase confirmed last month, Kellermann says it's very possible the attackers maintained a backdoor for subsequent re-entry.
"The reality here is that the global cybercriminal community is utilizing the secondary backdoors deposited in systems from previous intrusions to compromise valuable financial data," Kellermann says. "The real question that must be asked is, 'Are these cybercriminals front-running JPMorgan's fundamental market positions? ... The true assets of financial institutions is information that would provide macroeconomic indicators that are more sensitive than speculative bets, a la fundamental hedging strategies."
Financial fraud expert Avivah Litan, an analyst at the consultancy Gartner, notes that the June attack appeared to have been waged by nation-state actors, suggesting the perpetrators were after more intrinsic information about the bank.
"In speaking with some informed individuals at the bank, I did learn of how unusual this attack was and that it definitely appeared to be a nation state attacking them," Litan says.
But Carl Herberger, vice president of security solutions at online security firm Radware, says it's too early to speculate about who may have attacked Chase in June and difficult to sort through the allegations of new attack activity possibly connected to the breach.
"It's a nice conjecture about this attack being state-sponsored, as there's motive and capability," he says. "But unless we can draw a strong correlation, we really won't know."
Herberger says speculation about the breach details has created a public relations challenge for Chase. "There is an underlying problem where too many people are in the middle of the analysis process," he says. "They're concerned about whether they can track something down, versus understanding the level of infection. Seventy-five percent of the time, cyber-attacks take seconds, no more than minutes, to be successful, and will require weeks or months until companies are even aware they've been breached."
In late August, news reports surfaced about a cyber-attack against JPMorgan Chase, which the bank confirmed in mid-September (see: JPMorgan Chase Confirms Cyber-Attack). "We uncovered an attack by an outside adversary recently where the firm's technology environment was compromised," Lemkau told the Times last month. "We are confident we have closed any known access points and prevented any future access in the same way."
That cyber-attack is acknowledged in a brief statement on JPMorgan Chase's website.
The Times, in a mid-September report, said that sources close to the investigation confirmed that hackers had access to dozens of JPMorgan's servers over a period of two months, and that they were able to review information about 1 million customer accounts and gain access to a list of the software applications installed on the bank's computers.
Another individual familiar with the investigation said hackers had not gained access to accountholders' financial information or Social Security numbers, and may have only viewed names, addresses and phone numbers, the report says.
The breach allegedly began in June and was not detected until late July, according to the report.