Threat of the Week: The Big JPMorgan Chase Breach
Right now, very little is in fact known about what has been reported to be substantial breaches at JPMorgan Chase and perhaps, four other financial institutions, none of which have been named to date.
This column will review what is known, what is not known, and what all of this might mean to credit unions.
It is known that the FBI and the U.S. Secret Service are investigating the breaches, which may have international implications.
“We are working with the United States Secret Service to determine the scope of recently reported cyberattacks against several American financial institutions,” said Joshua Campbell, FBI supervisory special agent, in a statement.
The New York Times has reported large amounts of checking and savings account data were stolen in the JPMorgan breaches. While the purpose of the thefts is not known, the bank said it is not seeing any unusual or unusually high volumes of fraud in its network.
It is unclear if the thefts are connected with intended fraud, espionage or with an attempt to undermine the credibility of the U.S. financial system.
Some initial reporting claimed that the breaches were masterminded by individuals with ties to the Russian government in retaliation for U.S.-led sanctions against Russia in connection with its invasion of Ukraine.
Bloomberg News reported that the breaches were definitely associated with Russians. The New York Times is adamant that there is no proof of that.
On balance, however, the evidence points to the involvement of a nation state in the attacks.
Mike Rogers, chair of the House Intelligence Committee, who had been briefed on the attacks, described them to USA Today as very sophisticated.
“Clearly, either they were aided by or conducted by a state sponsor,” he told the publication.
In a statement to CU Times, Philip Lieberman, president/CEO of Lieberman Software, a Los Angeles-based security service management firm, said that the apparent ease with which the attackers overcame the JPMorgan Chase defenses raised profoundly worrisome questions.
“The ability to overcome the typical financial defense-in-depth strategy outlined by JPMorgan points to capabilities that go beyond criminal activity and are in the realm of nation state capabilities,” Lieberman said.
He added, “JPMorgan and similar entities employ sufficient technology to protect themselves from criminals, but typically fail to invest enough in technology and process to shield themselves from nation state’s ability to access their systems at will.”
Lieberman said the lesson to be learned is that the financial services sector needs to up its cybersecurity game to move up from commercial security to military level security.
“Most banks are focused on obtaining passing grades from internal and government cyber security auditors, but fail to place enough emphasis on the real and constant threats from the outside,” he explained.
The worse news is it’s simply is very, very difficult to balance member desire for ease of access and use with the high level of security needed to ward off nation state level actors. They generally have at their disposal far more weapons and far more time than the narrowly-focused, run- of-the- mill cybercriminals who want to make a quick score and then escape.
One question some are asking is if JPMorgan Chase, which is widely regarded as among the best at security and with a known willingness to budget as needed, can be penetrated, who can’t be?
“The takeaway message is that most of the financial services sector has little to no protection from nation state attacks,” Lieberman said.
Next week’s column will look at the question of how well-defended are credit unions against so-called advanced persistent threat, which is the sophisticated attack used by nation states?