JPMorgan Chase has issued a statement confirming that a cyber-attack against the bank's Chase.com and JPMorganOnline.com websites on October 2nd breaches customer data:
- *JPMORGAN: COMPROMISED DATA IMPACTS ABOUT 76M HOUSEHOLDS, 7M SMALL BUSINESSES
- *JPMORGAN HASN'T SEEN UNUSUAL CUSTOMER FRAUD RELATED TO INCIDENT
The bank noted it is cooperating with government agencies on their investigations.
Full JPMorgan Statement:
On October 2, 2014, JPMorgan Chase & Co. (“JPMorgan Chase” or the “Firm”) updated information for its customers, on its Chase.com and JPMorganOnline websites and on the Chase and J.P. Morgan mobile applications, about the previously disclosed cyberattack against the Firm. The Firm disclosed that:
- User contact information – name, address, phone number and email address – and internal JPMorgan Chase information relating to such users have been compromised.
- The compromised data impacts approximately 76 million households and 7 million small businesses.
- However, there is no evidence that account information for such affected customers – account numbers, passwords, user IDs, dates of birth or Social Security numbers – was compromised during this attack.
- As of such date, the Firm continues not to have seen any unusual customer fraud related to this incident.
- JPMorgan Chase customers are not liable for unauthorized transactions on their account that they promptly alert the Firm to.
The Firm continues to vigilantly monitor the situation and is continuing to investigate the matter. In addition, the Firm is fully cooperating with government agencies in connection with their investigations.
* * *
76 million households and 7 million businesses sure sounds a whole lot like... everyone!
* * *
It gets worse... As The NY Times reports,
By the time JPMorgan first suspected the breach in late July, hackers had already “rooted” more than 90 computer servers– hacker-speak for gaining the highest level of privilege to those machines– according to several people briefed on the results of the bank’s forensics investigation who were not allowed to discuss it publicly.
More disturbing still, these people say, hackers made off with a list of the applications and programs that run on every standard JPMorgan computer– a hacker’s roadmap of sorts– which hackers could cross check with known vulnerabilities in each program and web application, in search of an entry point back into the bank’s systems.
These people said it would take months for the bank to swap out its programs and applications and renegotiate licensing deals with its technology suppliers, leaving hackers plenty of time to mine the bank’s systems for unpatched, or undiscovered, vulnerabilities that would allow them reentry into JPMorgan’s systems.