The compromise of 10s of millions of JPMorgan Chase accounts poses the greatest risk of phishing attacks on consumers and small businesses, experts say.
JPMorgan, the nation's largest bank, disclosed Thursday in a Securities and Exchange Commission filing that user contact information, including names, addresses, phone numbers and email addresses, had been stolen from its computer systems. The theft affected 76 million consumer accounts and 7 million small businesses.
While no credit card or bank account numbers were taken, the stolen information still poses a serious threat to the people and businesses affected, experts say. Criminals can use the account data in various scams aimed at tricking people into divulging payment card numbers, banking information and usernames and passwords to online accounts.
The hackers could use the stolen data themselves or just as likely sell it on underground marketplaces. With the information in hand, criminals could craft email to appear to come from Chase and ask recipients to click on a link to change their online banking credentials.
"I strongly expect to see a large increase in phishing email campaigns related to Chase banking services," Joshua Roback, architect for security-as-a-service provider SilverSky, said.
People familiar with cybersecurity would know that a bank would never request a password. However, such swindles are effective against people who are less familiar with Internet security.
"Any email that's perceived to be from Chase, they'll probably act upon it, because people are nervous. People are scared," Tom Gorup, security operations manager for Rook Security, said.
Not all the scams will happen online. People could receive a letter in the mail that looks like it's coming from Chase and asking the recipient to call an 800 number. Dialing the number could reach a person practiced in fooling people into disclosing sensitive information.
Crooks pretending to be from Chase could also call people affected by the breach early in the morning, when most people are still a bit groggy and more likely to provide personal information.
"Those types of attacks do work," Gorup said.
Some small businesses can be as gullible as consumers and therefore susceptible to the same types of scams. Phishing campaigns can be particularly effective, if targeted at specific individuals.
Small business owners often work hard and fast to stay alive in competitive markets, so a phone call from a scammer at the busiest time of the day might work.
"Any small business who is already a customer of JPMC should make sure all their employees are aware that the breach happened, and be specifically careful to make sure that anything that looks like communication from JPMC is actually from the bank," Mike Lloyd, chief technology officer for RedSeal Networks, said.
Chase also needs to launch an aggressive campaign that tells affected customers what the bank would never do under the circumstances, which includes asking for online banking credentials.
The Chase breach is only the latest of several high-profile compromises that has shaken consumer trust in businesses to secure customers' personal data. Retailers Target and Home Depot each lost 10s of millions of credit and debit card numbers to criminals who hacked into their electronic cash registers.
In light of the compromises, experts are calling for companies to work with government agencies in building a secure platform in which businesses can share technical details about attacks privately. Such information can help in bolstering defenses.
Banks are already increasing the amount of attack information they share with each other through the Financial Services Information Sharing and Analysis Center (FS-ISAC), an industry group formed to meet a government directive to share information about cybersecurity threats to protect the nation's critical infrastructure.
"Expanding this beyond the financial services sector is the next step, and would help to bolster defenses across more of our critical infrastructure," Lloyd said.