JP Morgan Chase has announced that in June and July of this year over 76 million retail clients and over 7 million business clients had there personal information stolen from various company websites. The sites identified were: Chase.com, JPMorganOnline, Chase Mobile and JPMorgan Mobile. At this time it appears that what was stolen was the clients; names, addresses, phone numbers and email addresses. The company did say that at this time “there is no evidence that your account numbers, passwords, user IDs, date of birth or Social Security number were compromised during this attack.”
While it is at least reassuring that the breach did not get access to the more sensitive client account information, it is still troubling that once again a major hack has penetrated what we customers always assumed was a secure facility. And while it is true that the bank has not seen any fraudulent activity on the identified accounts, it does appear that the stolen information was subsequently used to launch a major phishing attack. In August Reuters reported that a phishing campaign named “Smash and Grab” was sending out a widely distributed email to JP Morgan Chase customers. In the bogus but official looking email, clients were instructed to click on a link so that they could see a “secure” message from JP Morgan. If a recipient clicked on the link he was instructed to enter his account information. Even if the recipient did not enter the requested information the site attempts to automatically install the Dyre banking Trojan on their PCs.
According to Proofpoint Vice President of Threat Research, Mike Horn, it is unusual for spammers to infect PCs with malware while trying to persuade users to provide banking credentials because that increases the odds of detection. Mr. Horn went on to say they are “unsure who was behind the emails, although much of the campaign’s infrastructure was in Russia and Ukraine, and the group’s tactics were consistent with those of Eastern European cybercrime gangs.”
In a series of questions and answers that JP Morgan Chase released to it’s customers regarding this security breach, it was quite telling that the final question was – “What do I need to worry about?” and the answer from the bank was – Phishing is typically the biggest risk when contact information has been compromised. We encourage you to be cautious of any communications that ask for your personal information. Don’t click on links or download attachments in emails from unknown senders or other suspicious email. We will never ask you to enter your personal information in an email or text message.
Within the past year we have seen time and again security breaches, hacks, phishing expeditions and more that have successfully stolen over a quarter of a billion client records, including; credit and debit card information, passwords, account numbers, account balances, security questions, names, addresses, phone numbers and email addresses. The damage from these ongoing attacks costs the industry hundreds of billions of dollars every year. It is critical that consumers and businesses be extremely carefully with their information (or the information entrusted to them). It is strongly recommended that passwords be made very secure. It is recommended that your password be at least 12 characters long with a mix of upper and lower case and with numerals included. Passwords should be changed on a random but frequent basis and for goodness sake do not get lazy and use the same password for multiple sites. Monitor your credit card and bank transactions and as soon as you see anything that you think is not right immediately contact your financial institution. It takes a bit of effort to protect your critical information, but it is worth the effort.