The latest cyberattack on JPMorgan Chase shows the vulnerability of the American Bank system as well as state cyberattack notification policies.
The recent cyberattack on JPMorgan Chase was bad enough, but researchers now say that 9 additional financial institutions were also affected. The hackers, deemed to be from Russia and have distant ties with the Russian government, were said to have gained access to some 83 million accounts of JPMorgan businesses and customers while being denied access to the more critical financial information inside the company’s database. The identity of the other nine financial institutions is unknown at this time.
The hacker attack affected some 90 servers at JPMorgan Chase. The company didn’t detect the cyberattack until July. There’s been no report on just how long the Russian cyberattackers had penetrated the JPMorgan Chase bank database before being detected by the bank itself – although it seems that JPMorgan only realized the system was hacked “weeks” into the attack.
This latest Russian cyberattack is critical because, first, these hackers were able to make their way onto servers of the largest bank in the United States. If they can hack into the largest US bank, then the entire financial system in the US will become at the mercy of cyberattackers. “It was a huge surprise that they were able to compromise a huge bank like JPMorgan. It scared the pants off many people,” said Javelin Strategy and Research security analyst Al Pascual.
Next, the cyberattack itself highlights a gap in business notification policies regarding cyberattacks. Whenever a cyberattack occurs, businesses are to notify customers regarding whether or not their business accounts, or personal accounts with the victim company have been infiltrated and or abused. US policies regarding cyberattack notifications are a mess at best, with states having their own requirements for notifications.
California state law mandates that customers be notified about a possible data breach immediately, while other states only require that customers be notified in the event that personal information (social security, driver’s license, or credit card number) is stolen or retrieved from the account in the event of a hack attack. Other states can wait as long as four weeks (1 month) before notifying customers of a data breach on personal customer user accounts.
While much information has been preserved despite the prolonged attack, JPMorgan employees say that the Russian hackers made off with a file that contains every application as well as changes in code that open up the door to new vulnerabilities through which the hackers can use to gain future access to JPMorgan accounts. Due to the depth of the Russian hack attack, JPMorgan would have to pay thousands of dollars to replace current computer applications and programs and create new ones in order to protect the accounts of hundreds of thousands of employees who were victims in the latest cyberattack.
This is the equivalent of a home invasion in which nearly every possible way to get into the home has been penetrated with little time for the homeowner to rebuild. A former JPMorgan Chase employee described the cyberattack in this manner: “It’s as if they stole the schematics to the Capitol – they can’t just switch out the every single door and window pane overnight.”
No one expected JPMorgan to end up being the victim of a Russian cyberattack, but it just goes to show how much smarter internet hackers have become within the last few years. Hopefully, banks and businesses will start to prioritize internet security and hire IT employees who may find themselves becoming defenders of a country whose newest war on terrorism will be the World Wide Web.