The real losers when this happens are the small businesses and nonprofits with recurring payments that have to contact their customers and ask them to reenter their new credit cards after they are replaced. Even in the best case, they're probably out a months revenue which can make or break a company.
The article doesn't say anything about credit card numbers being taken. It seems to imply just email address, phone number and physical address was taken.
That kind of information is nearly public (not that it's OK but it seems a lot less damaging).
User contact information – name, address, phone number and email
address – and internal JPMorgan Chase information relating to
such users have been compromised.
I have multiple personal and business accounts at Chase, and they collect a shitload of other "internal information", way beyond name, address, phone and email.
Ostensibly for KYC [2] they try to collect personal information about the other members of my company, non-public information about my company's revenues and customers, my work and professional history, business plans and projections, my kids' college plans, real estate holdings, interests in other businesses, etc., etc., etc.
They're very pushy about gathering this information, claiming it's for regulatory compliance. I'm sure it's mostly for their own attempts to hawk their lame financial products.
So that category of "information relating to such users" could be ginormous.
It's probably even worse than that. I've worked on bank systems. They collect all the things you mention, but also details of your personal finances, where you usually receive money from and how you spend it, guesstimates about your financial situation, 'suspicious' activity, details from every conversation you've ever had with a bank rep, and more.
It's legit. Actually had a fraudulent charge on my Chase card today from a jail phone operator in a southern state.
Only have a couple of recurring bills with the card and don't generally use it at stores, so I'm pretty confident that it was due to the breach at Chase. My biggest concern is someone using the other information they stole to open accounts under my name.
I don't know your card-usage habits, but if it was triggered by a jail phone operator within the US, it's much more likely your account information was taken at an unrelated time/event than this breach.
If stealing card/account information was their goal, there are a lot easier ways to do it. Any time you use your card at a non-official ATM, put it down to pay at a restaurant or even not shredding any mail with account information, you're putting yourself at risk. Heck, account information can be social engineered out of people quite easily as well - your particular usage habits could have nothing to do with it.
It is actually worse than that, isn't it? By law, only individuals are protected against fraud. If any small business account is compromised, they don't have that protection.
Or am I just off in my understanding of fraud protection?
I'm pretty sure taeric is talking small business credit cards having chargeback. They have almost identical, including the same protections, as a credit card held by an individual.
Do they? Unless things have changed, it was at least reported[1] that they do not have the same legal protections. They may have the same protections from the bank. But not by law.
If reminding customers that they are actually making recurring payments to a company causes that company to go out of business, I don't think we need to shed any tears.
I meant what noir_lord said. Ira Glass' monthly donation to NPR got cancelled when Target breached, for example. You can probably back date such things, but a lot of people don't.
You mean "If requiring customers to go through the trouble of re-submitting all their payment information…", surely. Because what we're talking about here, not merely reminding them that they are paying.
The amount of private data about individuals that JP Morgan has makes it a very attractive target to attackers despite any difficulty (perceived or real) it takes to get the data.
Extending that logic, it means the NSA is an even more worthwhile target for attackers, because they have far more private financial data about individuals in the USA and people abroad. But you can bet that when (not if) a breach of the NSA happens, it will never be reported to the public.
The only solution here is to do away with these centralized stores of all our private and financial information, so the incentive for these attacks no longer exist. There's no amount of technological hardening that will prevent a determined attacker (state sponsored or otherwise) to give up, when the reward for a successful attack is so high. Until then, reports of massive data breaches are going to be more and more common.
> But you can bet that when (not if) a breach of the NSA happens, it will never be reported to the public.
A security breach of the NSA has happened (obviously referring to Edward Snowden). It wasn't just user data either, but thousands confidential documents about nearly everything the NSA was doing.
Given the simplicity of his attack, and the fact he would of gone by undetected had he not disclosed those documents to media sources, it seems probable that important data has been stolen from the NSA in the past.
The minimum of what a bank needs to operate includes your phone and contact details, social security number, your financial account number, your credit card number and your credit rating, for sure? Because, you know... they provide many of those number to you!
There are approximately 115M households in the US [1], so does this mean that two of every three households is affected by this data breach? If so, why isn't there more panic?
Because no one understands, so no one cares. Target and Home Depot didn't take any hit to their stock prices being the two biggest data breeches in a row. At worst, it registers as a minor inconvenience.
I dropped Linode after they showed me multiple times I couldn't trust them with my data or my money. People still recommend them, trust them, and even try to convince people to come back because the breech of trust wasn't that bad. Even in the tech world where people should know the impact and should care, no one really does.
He was saying it registers with them as a minor inconvenience.
There is some bad PR on the day of announcement a for a short time after, but people soon forget and the stock price is barely affected if at all, so those up top don't feel it in the slightest.
For each individual customer, it's a minor inconvenience. Oh no, I have to get a new card and change my payments setup on Amazon. Once that's done, I don't care anymore.
Because nobody will be liable. If there's fraud on my credit card, I just phone Chase and they'll reverse the charges. In the scheme of daily irritations, this ranks well below a parking ticket.
Especially if you have been through it before, the apparatus for handling fraud, reversing it, and cleaning things up is so tight that it's hardly even distressing anymore. The biggest annoyance would be updating any recurring payments from that card.
Which got me thinking: How much of my bank fees are spent on fraud prevention and clean up? How much cheaper could credit card processing and banking in general be if banks didn't need to spend BILLIONS of dollars in infrastructure, procedures, and automation to make these fraud cases go so smoothly?
The sticking point is that banks don't want to invest in a new system unless they can shift liability to the consumer, which is unpopular for very good reasons.
Nobody is really addressing the root of the problem here - that credit card security is a total joke.
The way the credit card system works is we all send the keys to our accounts in plain text, and then store it in plain text.
Rather than come up with a more secure means of payment, the credit card companies force every customer to check every monthly bill on every credit card to make sure none of it was fraudulent, and somehow this is more "convenient" than using a secure method for payment.
That's not "the root" of this problem at all. Their internal systems were hacked and customer information was stolen. What would reforming credit cards do to help with that?
It seems odd to quantify this by "households". Is this normal? Per Wikipedia there are only 117m households in the US. So they are basically saying close enough to everybody. But then I am surprised that JP Morgan even has that percentage of US households as customers in the first place!
Don't forget all of the acquisition activity over the last ten years. Providian was bought by Washington Mutual, which was taken over by JP Morgan. Add to that BankOne from the early 2000s, Bear Stearns, several other regional banks, and their massive student lending network and it's not unbelievable that they reach so many "households" even those households don't bank directly with Chase.
I imagine JP Morgan keeps tabs on anyone that could ever be a potential customer. We should expect the same from any other business of significative size -- the information that can be stolen from each of them should be assumed to potentially affect every individual in every country where that company may have the slightest interest.
I apologize for this thread being slightly duplicative of another submission.
One thing which jumped out at me from this story but was not mentioned in others was that the attacks had been traced back to servers in a Russian data center. I wonder if and how we can distinguish between:
- Criminal hackers exploiting lax or less capable Russian law enforcement, or
- Criminal hackers operating with the studious indifference or tacit acceptance by Russian law enforcement, or
- State-sponsored espionage expressing a retaliatory or threatening posture in response to western sanctions against Russia.
It's very hard (as a consumer) to gauge whether the main problem here is corporate negligence, very well-supported attacks, or excess organizational size and complexity...or some combination of these 3 factors.
This is important. It's all too easy to route and obfuscate your trafic so that it appears to come from anywhere in the world you want. Given that, for example, the US already officially declared that they will respond militarily to a sufficiently annoying cyberattack, and that is rumoured[0] to include going (literally) nuclear, people in power should really remember that just because a cyberattack seems to originate from country X, doesn't mean country X is in any way involved.
[0] - I think I saw something implying this in official statements, though I can't find any good source that would confirm it right now; however the idea was discussed in media.
Oh, I thought that would be included in my first category - I'm not assuming that the hypothetical criminals are necessarily Russian, just that it's easier for them to launch attacks from within Russian jurisdiction for whatever reason. But it's a good distinction to make, thanks.
I think what should happen is there should be laws that place sanctions on these companies for negligence in failure to secure their systems. That money should then go into a fund to provide security monitoring and consulting/auditing services for these businesses, retribution for those who have suffered losses due to the breaches. They clearly can't get it together and there needs to start being punishments (fine/jail) for the IT executives responsible. I hate to approach a problem with more regulation, but market forces haven't been working. I think there should be at the minimum threat of personal consequences for the executives if it is found they were negligent in their duties in any way to provide reasonable security for their systems, and to have processes in place to review code to ensure it does not have blatant security issues.
This is a horrible idea. It will immediately stifle all innovation in software. The only laws I would be in favor of are required transparency laws where you have to report all breaches with serious fines/jail for failure to comply.
The market will quickly sort things out if it has the appropriate information. People can then decide what privacy is valuable for themselves.
The only laws I would be in favor of are required transparency laws where you have to report all breaches with serious fines/jail for failure to comply.
This is already the case. The information comes from JPM's (mandatory) SEC filings. I forget the time frame but stuff like this (information that could reasonably be expected to have a material impact on the stock price) has to be reported within a pretty narrow window of becoming known to management, like 72 hours or so.
The market will quickly sort things out if it has the appropriate information.
By all appearances the opposite is true. I mean, where do you move your business to? I have no idea which is the most secure bank, only which ones have so far discovered and reported breaches. Neither Target nor Home Depot seem to have been punished very severely by the market if their stock prices are anything to go by.
Why would I care if my credit card information gets taken? If there's a fraudulent charge, I don't have to pay for it. Therefore, I have no financial incentive to take my business elsewhere or otherwise care about security.
The cost is borne somewhere (likely in the % fee credit cards charge merchants), but individual users have no incentive to care about it.
What was the actual information taken? How was the breach perpetrated? Two pretty big pieces of information we are missing. There may also be daily breaches that aren't significant enough to impact earnings that we never hear about.
No, we do not have any kind of transparency.
The second issue (where do I go?) can't be worked out at all until we have some idea of "where do I really not want to be?"
First you said you wanted a report of all breaches, now you're asking for the investigation to be run in public - rather a massive move of the goalposts. Without expressing any sympathy for the banks, I'm having trouble thinking of any business that would be willing or even able to do business under such conditions.
No, what I'm saying is that we don't have transparency in the reports. All we get is "something happened", with very few details of what "something" is. My goalposts never moved; only your interpretation of them.
Would you not agree that a data breach brought on by a disgruntled employee selling records is materially different than the same data breach caused by failure to patch systems? I don't care about the investigation (where did you get any implication I think investigations should be public); I care about the results.
>>Would you not agree that a data breach brought on by a disgruntled employee selling records is materially different than the same data breach caused by failure to patch systems?
Directly contradicts this one:
>>I don't care about the investigation (where did you get any implication I think investigations should be public); I care about the results.
The result is that people's credit card information got stolen. The investigation and the details -- i.e. whether it was an internal or external breach -- are not relevant to me as the customer.
Perhaps you have a different definition of investigation than I do. I see the investigation as the active bit where you are talking to people, looking through logs, trying to figure out what happened. At the end of that, you would have a report that said "this is what happened: this is the data that was lost and this is how it was done". That doesn't imply that every interview and every log file gets published.
Of course there is going to be some level of sanitization, but today we get no information beyond "we lost a bunch of data" (oh, look, they told us names, address, email, "and other information used to categorize customers", whatever that means).
If you decide it's not relevant to you, brilliant. Don't pay attention to it. It is relevant to me, because I don't have any other way to decide who I should trust with my information security. A company losing hundreds of credit cards a day to hundreds of different hacks is much less secure in my mind than a company that loses 70M names and addresses (as far as I know, the Chase hack did not expose credit cards; mine was not replaced). The former goes unreported; the latter gets splashed all over the news.
They may not have been "punished", but merchants, banks and the payment companies have finally been convinced that swipe cards should be replaced. The changeover with next year's "liability shift" won't be cheap, but it will result in a more secure system.
Wouldn't that cripple any new business storing user details? If these big businesses with large, dedicated security teams can't secure their systems against persistent hackers, what hope do us smallfry have?
Often it seems to me that two ways of avoiding trouble are to avoid commodity solutions that can be automatically exploited (e.g., Wordpress, Drupal, Joomla, common plug-ins, etc) and staying under the radar.
If you're big or holding especially valuable data, you'll be targeted.
" The number of households affected by the attack on JPMorgan [76 million households and 7 million small businesses] compares with the 145 million personal records taken earlier this year in a breach of EBay Inc. and last year’s attack on retailer Target Corp., which affected 110 million. "
Do 'responsive firewalls' exist, that would close a hacked connection just because of the size of the data that is flowing out?
[I have often thought a firewall would be a good golang project]
As a Chase customer (checking/auto) who happens to be an eBay user that shopped at Target during the data breach, this is getting really old. I wonder at what point do companies start requesting we change our account numbers (similar to passwords)?
>I wonder at what point do companies start requesting we change our account numbers (similar to passwords)?
Some already are, sorta. I made a single purchase at Target with a debit card during the period of their breech and my bank automatically sent me a new card with new numbers. It wasn't auto-activated, but once I did activate it, the old card and numbers went into the ether.
This will simply force the US towards more European style chip & pin style cards. But it will also massively accelerate the adoption of things like Apple Pay where the vendors never get access to your credit information or personal information at all.
Not that it helps a bit if they are hacking banks however.
0 – The number of customer cards that Chip-and-PIN-enabled terminals would have been able to stop the bad guys from stealing had Target put the technology in place prior to the breach (without end-to-end encryption of card data, the card numbers and expiration dates can still be stolen and used in online transactions).
The PIN system as used in Europe (or at least where I live) always requires you to physically enter your PIN-Number with any purchase, even online. The card alone is useless as you MUST enter the PIN-Number, and 3 wrong tries blocks the card permanently. To make purchases online your bank would send you a small device which takes: a number supplied by the online website indicating your purchase, your card and then asks you for a PIN-Number. It then does some magic and outputs a number that you would need to verify the purchase.
It seems that this is not that same type of system or am I mistaken in some way? Seems to me that it would have helped; my account number/card number/exp. date are useless on their own.
I'm not sure how they figure that. How would having a having the Chip and Pin have prevented the data from being stolen? How does them encrypting the data they send relate to the cards? Those seems like separate issues.
With regards to online use, I'll say I'm not familiar with how Chip and Pin really works, but presumably they have some guard for online use, right? Or is that just wide open still?
With online use, the chip does not come into play.
How would having a having the Chip and Pin have prevented the data from being stolen? It does not. The "Chip and Pin" argument is brought up each time this sort of retail breach happens, like a reflex.
From the Brian Krebs article I referenced in another comment in this thread:
1 million – 3 million – The estimated number of cards stolen from Target that were successfully sold on the black market and used for fraud before issuing banks got around to canceling the rest (based on interviews with three different banks, which found that between 3-7 percent of all cards they were told by Visa/MasterCard were compromised actually ended up experiencing fraud).
If someone is looking for an impossible problem to solve and be paid well: JP Morgan is spending a quarter of a billion dollars this year to achieve list level of security.
Is there a breach notification list (somewhat similar to A CVE list) where companies can (anonymously at first) notify the world early and then publish technical post mortems.
Saying "76m records lost" is ok for headlines but like air traffic investigation we want to improve the whole system.
I haven't seen this mentioned anywhere, but Chase isn't sending email about this to their customers. If you login there's a notice, and certainly many people get updates via the news, but the lack of direct-to-customer communication is disappointing.
The silver lining here is that as these breaches become more and more common businesses and financial institutions will be forced to get more serious about security. Chip and pin can't come to the U.S. fast enough.
Nah, they'll just go about their business after offering everyone a year of free credit monitoring, and wait for the next security breach. Nobody from these negligent companies are going to jail, so none of them are going to change the way they handle security.
You obviously do not work for a company like JP. Fear of jail is not the only motivator to address the gaps that led to this breach. There are likely hundreds of people there who are intensely motivated and now assigned to address this, driven by professionalism to work as quickly as possible.
Will we ever reach a point where large scale security breaches are a rarity rather than the norm. I feel like some of these recent issues should have been preventable.
Probably not. The space of potential security holes is very large. A would-be attacker only has to find one viable one, while the people defending against those would have to find them all. There are lots of tools to stop people from opening up well-known holes, but most issues are only "obvious" or "preventable" in hindsight.
Not until the major stakeholders are really serious about Internet security, to the point where they are willing to work to change the infrastructure of the Internet. The same goes for governments. Right now if you try to make data "too secure", and not give them some kind of backdoor ("when needed" as they say), they are actually fighting against you in the media, and possibly in Courts, Congress and through other means.
When the US government agrees to let Internet stakeholders make the Internet really secure, and not "secure to the point we can still break that security", then we should see some progress.
1. Every software has bugs. (right now we do not know how to prevent this at a reasonable cost)
2. Even after discovering and fixing the bug rolling it out takes
So, no, there always be breaches. The best you can hope for as the data magnitude grows perhaps a bit more effort will be on protecting it so that it doesn't shoot through the roof.
How soon until ALL database fields that contain personal information are encrypted so that if a hacker gains access to the data it is useless without the programs to actually access it? Why aren't we encrypting addresses, and SSN, and email, and phone number? Is this information not as important as a CC number? I think that we are starting to see that this might be almost as important if not on equal footing as our CC numbers.
I find it hard to believe that a company line JP Morgan, the largest bank in the US can't afford to put enough computing power to reduce this overhead..... at $6 billion in profit in just the 2nd quarter alone I think they could afford to invest a couple of million dollars to make sure their customers' data is better secured.
Lets think about this.... if they can spend maybe $10 million to be able to say to their customers... "We had a breach but your personal data was encrypted with the latest technology and is safe" vs "We had a data breach and 76 million house holds now have personally identifiable information up for sale across the black market."
Do you think that the goodwill from the first statement would save them $10 million? My bet is that a bank actually being able to say that a breach was a non issue because they had actually taken all possible measures to protect your data with them because they actually might care about their customers just a tiny bit would easily drive them in a positive direction both in the short term and the long term.
It's also generally ineffective, and little more than a checkmark on a compliance sheet. Just because something is encrypted doesn't mean it's not trivially accessible and readable.
Encryption, when it applies to systems that need unassisted access to data in a database, is hugely overrated.
My wife just had her credit card hacked probably as a result of this (we are both with Chase). What a pain to have to deal with getting a new card and updating all the auto-pay stuff. Plus, this is probably the third or fourth time this has happened to her. They said they arrested the person, who had bought a burrito in San Diego.
From what I've read, there is no evidence of the hackers doing anything with the data they found yet. So your wife was probably the victim of some other hack (Home Depot?) or method (atm skimmer, etc.).
Unless you moved, changed your name, and/or used a different email address it won't help too much since they took this months ago. Or are you getting out assuming Chase continues to be negligent?
This in the latest of a long string of security breaches makes me very happy that Apple is moving forward on tokenized payment systems and hopefully dragging many other companies along with it.
In 20+ years with advent of decentralised banking (btc, etc) such stories will be impossible. Decentralised banking will not only affect security but overall money distribution in the world.
In a roundabout way: you can insure against data breaches and costs associated with it, etc.
And if you're contracting you'd better make sure you have indemnity insurance yourself: it's something software engineers who start freelancing often (always?) overlook. But you can bet that if - for example - some security breach was pinpointed to code that you had written as a freelancer that your client will come after you.
