Home > News > The JPMorgan Breach Is One Part of a Larger Crisis

Comments 1 Comment

JPMorgan’s disclosure that hackers compromised the data of more than 76 million of its consumer patrons — and 7 million small business clients — may seem stunning.

But it reflects just a sliver of the withering bombardment the U.S. financial services sector has endured for at least the past three years.

Criminals go where the money is. And in this case, the most sophisticated, well-funded and determined cyber attackers have been relentlessly hammering on banks, fund managers, brokerage houses, stock exchanges and the like since at least 2011.

These cyber attacks against America’s financial infrastructure are sophisticated, well-funded and highly-coordinated. The motive: simple greed, but also ideological fervor – and sometimes both. This is not something the financial sector cares to discuss publicly.

But make no mistake. Wall Street is expending enormous resources just to keep the attackers mostly in check. The result is that disclosures of major breaches, like the one JPMorgan was compelled to reveal in this terse SEC filing, occur only sporadically.

Most breaches sooner or later get discovered and then get mitigated as quietly as possible. The good guys win some and lose some. The attackers rarely ease up. Meanwhile, cyber forensics firms Mandiant, Kroll, Stroz Friedberg and FTI Consulting find themselves booked solid with Wall Street clients, a source who works in the field recently told ThirdCertainty.

Why is this happening? In a larger sense, this is occurring because tech companies, telecoms, media giants, retailers, the banking sector and now even car makers and refrigerator makers continue to push more and more commerce into the Internet cloud and onto mobile devices.

The Internet was never meant to handle secure transactions, nor preserve an individual’s privacy. Our rush to leverage the Internet for legit commerce has spawned marginally ethical business ventures while also creating vast criminal opportunities.

Becoming Numb

The irony is that organized crime rings and nation state spies are proving more efficient and innovative at leveraging the Internet than the good guys.

“The cyber security landscape is so fraught with apathy, incompetence and improper and incorrect implementations of a security posture that these breaches just continue to happen,” says Paul Ferguson, director of threat intelligence at network monitoring firm Internet Identity. “People are becoming numb and conditioned to not even really notice anymore, and that’s dangerous.”

Not only are we getting numb, our collective memory is getting shorter. JPMorgan’s 8K filing raises more questions than it answers. And the core questions are sounding awfully familiar.

Was this a case of hacking for criminal profit, or was it more of a nation state, strategic warfare attack?

In February 2011, Nasdaq disclosed “suspicious files” were found lurking on a server supporting Nasdaq’s Directors Desk, a cloud-based collaboration service for company board members and senior executives. Little more was ever said. But think of the possibilities. It has been speculated, but never confirmed, that those hackers must have grabbed insider information and probably used it to game the market.

Starting in September 2012 and continuing into early 2013, the Iranian hacking collective — Cyber Fighters of Izz ad-Din al-Qassam — carried out wave after wave of denial of service attacks that overwhelmed the expensive security systems of U.S. financial companies.

Knocked offline at various times were Bank of America, Charles Schwab & Co., American Express, Wells Fargo, JP Morgan Chase, Citibank and SunTrust. U.S. Sen. Joe Lieberman, I-Conn., accused Iran of targeting the American financial system in retaliation for U.S. sanctions on Iran intended to deter that nation’s nuclear program.

Then in mid 2013, a copycat group of profit-minded hackers conducted denial of service attacks against certain U.S. banks as a smoke screen to divert attention while they executed an Ocean’s 11-style wire transfer fraud, according to Gartner banking security analyst Avivah Litan.

Not long after that, in August 2013, brokerage giant Goldman Sachs reported a startling Internet-related glitch that set incorrect price limits and selling algorithms affecting contracts for companies such as JPMorgan Chase, Johnson & Johnson and Kellogg Co.

Less than 48 hours after Goldman Sach’s glitch, Nasdaq reported an outage that had all the earmarks of the wave of denial of service attacks that plagued the U.S. banks a few months earlier, according to Reuters.

Roel Schouwenberg, a senior researcher at Kaspersky Lab, told me at the time that it was “definitely possible” both events were criminally orchestrated. “It could either be an operation which is financially motivated or an operation which is aimed at sabotage,” Schouwenberg told me. “However, this is speculation. These could all just be glitches of sorts, but the timing is definitely strange.”

Small Businesses at Risk

The one new wrinkle that pops out of JPMorgan’s latest disclosure is the loss of data for 7 million small business accounts. What will the data thieves do with that information?

Small business owners are particularly vulnerable. They do not enjoy the same banking protections as consumers. JPMorgan is under no obligation to make small business customers whole in cases of fraud.

The bank can invoke an obscure section of something called the Uniform Commercial Code. UCCs are state laws governing commercial contracts, which banks helped draft. It limits liability in delivering online services to businesses if certain safeguards are in place.  Consumers are protected by federal laws that limit their fraud losses in most cases to $50. But small businesses are left out on the limb. So it remains to be seen how much any of JPMorgan’s 7 million small business account holders will suffer from this breach.

Cyberrobbers have been intensely targeting small businesses, local governments, school districts, churches and nonprofits for Internet-enabled wire fraud since the mid-2000s. Internet-enabled ACH and wire transfer fraud reached a frenzied pitch, so much so, that the FBI, which is usually reticent to discuss bank losses or even acknowledge ongoing cases, actually went public about the scale of the attacks to bring attention to the problem.

The FBI disclosed that it investigated more than 200 cases, mostly in 2008 and 2009, in which cyber-robbers executed fraudulent transfers totaling about $100 million and successfully made off with $40 million. Not much has been publicly discussed about this attack vector since then, and better defenses generally are in place. But criminals continually refine attacks, especially when the potential payday is lucrative.

“I would imagine that JPMC will make right any small business fraud losses due to this breach,” Ferguson says. “The real impact here is to their brand identity, and the ability to retain business from those impacted, as well as attract new business.”

This story is an Op/Ed contribution to Credit.com and does not necessarily represent the views of the company or its partners.

More on Identity Theft:

Image: longislandwins, via Flickr

Comments on articles and responses to those comments are not provided or commissioned by a bank advertiser. Responses have not been reviewed, approved or otherwise endorsed by a bank advertiser. It is not a bank advertiser's responsibility to ensure all posts and/or questions are answered.

Please note that our comments are moderated, so it may take a little time before you see them on the page. Thanks for your patience.

  • Catalin Tutunaru

    Incompetence come from the lazy job made by recruiters, which select tech guys by the ability to market them-self through resume.

    The best ICT people which I’ve met have introvert personality, and they have no ability to sell himself.

    So, today, are more marketing guys into ICT department than ever!

    Until the current methodologies of personnel selection will be changed and adapted to the job position requirements, I see no way of improvements into security of information system.

Credit.com receives compensation for the financial products and services advertised on this site if our users apply for and sign up for any of them.

Hello, Reader!

Thanks for checking out Credit.com. We hope you find the site and the journalism we produce useful. We wanted to take some time to tell you a bit about ourselves.

Our People

The Credit.com editorial team is staffed by a team of editors and reporters, each with many years of financial reporting experience. We’ve worked for places like the New York Times, American Banker, Frontline, TheStreet.com, Business Insider, ABC News, NBC News, CNBC and many others. We also employ a few freelancers and more than 50 contributors (these are typically subject matter experts from the worlds of finance, academia, politics, business and elsewhere).

Our Reporting

We take great pains to ensure that the articles, video and graphics you see on Credit.com are thoroughly reported and fact-checked. Each story is read by two separate editors, and we adhere to the highest editorial standards. We’re not perfect, however, and if you see something that you think is wrong, please email us at editorial team [at] credit [dot] com,

The Credit.com editorial team is committed to providing our readers and viewers with sound, well-reported and understandable information designed to inform and empower. We won’t tell you what to do. We will, however, do our best to explain the consequences of various actions, thereby arming you with the information you need to make decisions that are in your best interests. We also write about things relating to money and finance we think are interesting and want to share.

In addition to appearing on Credit.com, our articles are syndicated to dozens of other news sites. We have more than 100 partners, including MSN, ABC News, CBS News, Yahoo, Marketwatch, Scripps, Money Magazine and many others. This network operates similarly to the Associated Press or Reuters, except we focus almost exclusively on issues relating to personal finance. These are not advertorial or paid placements, rather we provide these articles to our partners in most cases for free. These relationships create more awareness of Credit.com in general and they result in more traffic to us as well.

Our Business Model

Credit.com’s journalism is largely supported by an e-commerce business model. Rather than rely on revenue from display ad impressions, Credit.com maintains a financial marketplace separate from its editorial pages. When someone navigates to those pages, and applies for a credit card, for example, Credit.com will get paid what is essentially a finder’s fee if that person ends up getting the card. That doesn’t mean, however, that our editorial decisions are informed by the products available in our marketplace. The editorial team chooses what to write about and how to write about it independently of the decisions and priorities of the business side of the company. In fact, we maintain a strict and important firewall between the editorial and business departments. Our mission as journalists is to serve the reader, not the advertiser. In that sense, we are no different from any other news organization that is supported by ad revenue.

Visitors to Credit.com are also able to register for a free Credit.com account, which gives them access to a tool called The Credit Report Card. This tool provides users with two free credit scores and a breakdown of the information in their Experian credit report, updated twice monthly. Again, this tool is entirely free, and we mention that frequently in our articles, because we think that it’s a good thing for users to have access to data like this. Separate from its educational value, there is also a business angle to the Credit Report Card. Registered users can be matched with products and services for which they are most likely to qualify. In other words, if you register and you find that your credit is less than stellar, Credit.com won’t recommend a high-end platinum credit card that requires an excellent credit score You’d likely get rejected, and that’s no good for you or Credit.com. You’d be no closer to getting a product you need, there’d be a wasted inquiry on your credit report, and Credit.com wouldn’t get paid. These are essentially what are commonly referred to as "targeted ads" in the world of the Internet. Despite all of this, however, even if you never apply for any product, the Credit Report Card will remain free, and none of this will impact how the editorial team reports on credit and credit scores.

Your Stories

Lastly, much of what we do is informed by our own experiences as well as the experiences of our readers. We want to tell your stories if you’re interested in sharing them. Please email us at story ideas [at] credit [dot] com with ideas or visit us on Facebook or Twitter.

Thanks for stopping by.

- The Credit.com Editorial Team