When news first broke of a breach at JP Morgan it was met with some skepticism among incident responders. They were just not hearing anything about this beyond the churn from the media outlets. Then the company made it known that a breach had in fact occurred. This just helped to drive speculation.
JP Morgan is the largest bank in the US with over $2.5 trillion in assets. Yesterday the bank made it known via an SEC 8-K filing that the aforementioned breach affected 76 million households and 7 million small businesses. They confirmed that contact information of customers was compromised in the breach including name, address, phone number and email addresses. They indicated that internal JP Morgan information pertaining to customers such as credit cards and various investment products, was also accessed by parties unknown.
The news about this has been dribbling out over the last few weeks and the facts have been hard to come by. With this disclosure we now find confirmation of the initial scope of the breach. The problem that presents itself in my mind is in the text in the paperwork that was filed. They indicated that it affected 76 million “households". This strikes me that this could potentially expand the scope of the affected user base if there are multiple customers per household in some cases. As to the small businesses there could potentially be multiple customers affected for each company.
According to a piece on Bloomberg,
The attack on the lender, which is being probed by the Federal Bureau of Investigation and other agencies, started in June at the digital equivalent of the company’s front door, exploiting an overlooked flaw in one of its websites, two people familiar with the bank’s investigation have said.
The hackers unleashed malicious programs designed to penetrate the corporate network, the people said. With sophisticated tools, the intruders reached deep into the bank’s infrastructure, siphoning gigabytes of information, until mid-August.
This has not been officially commented on by the company so, take that for what it is worth. I’m hopeful that we will see more details emerge as the investigations unfold.
The company did point out that it has found no evidence of any fraud in relation to the purloined data at this point in time. They made a point of noting that customers that were affected by the breach are not liable for any fraud that may arise as a result.
(Image used under CC from Sarath.kuchi)