What to do in the aftermath of the JPMorgan breach

The compromise of 10s of millions of JPMorgan Chase accounts poses the greatest risk of phishing attacks on consumers and small businesses, experts say.

JPMorgan, the nation's largest bank, disclosed Thursday in a Securities and Exchange Commission filing that user contact information, including names, addresses, phone numbers and email addresses, had been stolen from its computer systems. The theft affected 76 million consumer accounts and 7 million small businesses.

While no credit card or bank account numbers were taken, the stolen information still poses a serious threat to the people and businesses affected, experts say. Criminals can use the account data in various scams aimed at tricking people into divulging payment card numbers, banking information and usernames and passwords to online accounts.

The hackers could use the stolen data themselves or just as likely sell it on underground marketplaces. With the information in hand, criminals could craft email to appear to come from Chase and ask recipients to click on a link to change their online banking credentials.

"I strongly expect to see a large increase in phishing email campaigns related to Chase banking services," Joshua Roback, architect for security-as-a-service provider SilverSky, said.

People familiar with cybersecurity would know that a bank would never request a password. However, such swindles are effective against people who are less familiar with Internet security.

"Any email that's perceived to be from Chase, they'll probably act upon it, because people are nervous. People are scared," Tom Gorup, security operations manager for Rook Consulting, said.

Not all the scams will happen online. People could receive a letter in the mail that looks like it's coming from Chase and asking the recipient to call an 800 number. Dialing the number could reach a person practiced in fooling people into disclosing sensitive information.

Crooks pretending to be from Chase could also call people affected by the breach early in the morning, when most people are still a bit groggy and more likely to provide personal information.

"Those types of attacks do work," Gorup said.

Some small businesses can be as gullible as consumers and therefore susceptible to the same types of scams. Phishing campaigns can be particularly effective, if targeted at specific individuals.

Small business owners often work hard and fast to stay alive in competitive markets, so a phone call from a scammer at the busiest time of the day might work.

"Any small business who is already a customer of JPMC should make sure all their employees are aware that the breach happened, and be specifically careful to make sure that anything that looks like communication from JPMC is actually from the bank," Mike Lloyd, chief technology officer for RedSeal Networks, said.

Chase also needs to launch an aggressive campaign that tells affected customers what the bank would never do under the circumstances, which includes asking for online banking credentials.

The Chase breach is only the latest of several high-profile compromises that has shaken consumer trust in businesses to secure customers' personal data. Retailers Target and Home Depot each lost 10s of millions of credit and debit card numbers to criminals who hacked into their electronic cash registers.

In light of the compromises, experts are calling for companies to work with government agencies in building a secure platform in which businesses can share technical details about attacks privately. Such information can help in bolstering defenses.

Banks are already increasing the amount of attack information they share with each other through the Financial Services Information Sharing and Analysis Center (FS-ISAC), an industry group formed to meet a government directive to share information about cybersecurity threats to protect the nation's critical infrastructure.

"Expanding this beyond the financial services sector is the next step, and would help to bolster defenses across more of our critical infrastructure," Lloyd said.

Join the CSO newsletter!

Error: Please check your email address.

Tags JPMorgan ChasesecurityJPMorgan Chase & Co.legalphishingmalwarecybercrimesocial engineering

More about Home DepotSecurities and Exchange Commission

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Antone Gonsalves

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place