What JP Morgan Chase's Data Breach Means For You If You're One Of the 76 Million Affected
Don't panic yet, but JPMorgan just compromised the data of 76 million households and 7 million small businesses. The bank just hasn't been able to catch a security break, and has faced ongoing scrutiny in the last three months about the security of its customers' information. On Thursday, bad news has struck again. According to an SEC filing, "User contact information — name, address, phone number and email address — and internal JPMorgan Chase information relating to such users have been compromised."
But really, don't panic quite yet. Before you run off to empty your bank accounts and sell off all your stock, JPMorgan wants you to know that "there is no evidence that account information for such affected customers — account numbers, passwords, user IDs, dates of birth or Social Security numbers — was compromised during this attack."
That sound you just heard was a collective sigh of (temporary) relief.
According to the report, customer data was lost as a result of a data breach that happened in June, but was not discovered until July. Until now, it was unclear just how much customer information was compromised during the attack, but the newly released figures of 76 million households and 7 million small businesses dwarfs earlier estimates that only 1 million people were affected. 76 million households represents nearly a quarter of the American population.
Experts are still unclear as to how the hack managed to proliferate unnoticed and unstopped for a month. When JPMorgan finally realized that there were hostile presences in their system, it was already far too late — hackers had already "rooted," or obtained the highest level of clearance to, 90 of their servers. Moreover, sources told the New York Times that the hackers managed to compile a list of all applications and programs found on any standard JPMorgan computer, which allows them to keep track of vulnerabilities and holes in the system.
These sources told the Times that in the months it would take for the bank to replace all these applications and relicense various programs, hackers could continue to do even more damage, or obtain more information.
According to the Wall Street Journal, the breach first began when hackers were able to tap into JPMorgan's virtual private network (VPN) through an employee's personal computer. This allowed them to move further and further into the bank's systems, resulting in the massive takeover. Since discovering the breach, the Journal reports that JPMorgan "has reset passwords of every technology employee and disabled accounts that may have been compromised."
Most of the servers targeted contained the information of customers who frequented bank sites like chase.com or jpmorgan.com, either through their smartphones or their computers. But that doesn't mean that you should drown your iPhone or burn your computer — here are just a few things that you should be aware of and can do to protect yourself.
Seriously. As of Thursday, JPMorgan said that it hadn't "seen any unusual customer fraud related to this incident," which means that your checking and savings account should be fine. Social Security numbers don't appear to be affected, and neither do account numbers of passwords. Rather, it's just basic contact information that is currently being red-flagged as stolen.
JPMorgan has also said that in the case that unauthorized transactions do take place, customers will not be liable for any damages. In their filing, they noted, "The Firm continues to vigilantly monitor the situation and is continuing to investigate the matter." It may not be the most comforting statement, but it should give you a little peace of mind.
All in all, despite the natural concern that arises from a data breach of this size, you should keep in mind that banks are doing everything they can to protect you. After all, you're their business. In response to these attacks as well as growing concern over cybersecurity issues, JPMorgan has pledged to spend at least $250 million every year to shield itself from these attacks, and JPMorgan CEO Jamie Dimon's annual report stated that he will appoint 1,000 employees to spearhead security efforts.
beware of "piggyback attacks"
A tactic that is often used after a big security breach, piggyback attacks happen when ne'er-do-wells decide to take advantage of customer panic and, as USA Today says, "launch social engineering attacks." So how do you avoid these traps? Tod Beardsley, engineering manager with security firm Rapid7, told USA Today,
The usual advice applies: If you get an e-mail or a call from a JPMorgan rep, feel free to thank them for contacting you and hang up. Customers should always initiate that contact by looking at their credit card or statement for the contact number; you simply can't trust that an incoming call or e-mail is legitimate and not a phishing attempt.
Although there is no evidence that any truly crucial information has been stolen, it is always wise in these situations to keep a close eye on your bank statements. If you notice any unusual activity, alert JPMorgan immediately, allowing them to not only take care of your problem, but to also make them aware of potential further issues. After the Home Depot security breach that happened earlier this year, Adam Levin, the former director of the New Jersey Division of Consumer Affairs told NJ.com, "If you see a transaction that doesn’t make any sense immediately pick up the phone."
consider signing up for free monitoring programs
In general, this is a pretty solid rule of thumb. For those who participate in these programs, banks send an email or text to customers whenever a transaction involving their accounts is made. Said Levin,
These are the kind of things that people should have been doing and should continue to do regardless of the Home Depot situation because it’s the kind of thing you’ll be facing over and over again.
Images: Getty Images (6)