back to article JPMorgan Chase: 76 milliom homes, 7 million small biz thumped in cyber-heist

Mega-bank JPMorgan Chase has admitted to suffering a major data breach that has been rumored since August, saying that as many as 76 million households and 7 million small businesses have been affected. The bank, which has never discussed the breach publicly before, made the disclosure in a filing with the US Securities and …

  1. Gray
    Facepalm

    Erosion of trust

    Damn, damn, damn. And double-damn-it all to hell, anyway!

    Just as the various security agencies have violated trust that they will obey restrictions and rules governing respect for citizens' privacy ... so have the big banks and corporations shown that they cannot be trusted to focus effectively on security, nor do they promptly and openly reveal when massive security violations occur.

    Sorry to say, this private household shuns banks (preferring credit unions here in the US); shuns all ATM machines (hidden card scanners); avoids all credit/debit card purchases at stores (hacked POS terminals); and is increasingly going back to carrying cash for all purchases. Sad ... sad, sad, sad ... it looked to be convenient, but in the US at least, trust is gone. Example: US credit card companies are still issuing cards with the flawed magnetic strip. Epic fail.

    1. Anonymous Coward
      Anonymous Coward

      Re: Erosion of trust

      JPM use Linux for nearly everything. This was a security disaster waiting to happen...

      1. Trevor_Pott Gold badge

        Re: Erosion of trust

        I agree; when your enemy is better resources with better talent than you have, it absolutely is a security disaster waiting to fail. Even if you're using an excellent operating system like Linux, administered by administrators who know how to secure it properly.

        At the end of the day, the bad guys have more resources to find holes than the good guys do. And they will exploit them immediately, whereas the good guys then have to turn an "identified hole" into a "patched vulnerability."

        But at least they were using Linux. It's a start. If they were using Windows not only would we never have known there was a vulnerability - and thus people would still be actively exploited - but there's a good chance that by compromising such a large bank for so very long undetected they would have been able to do serious damage to the economy.

        Western nations absolutely need to up their cyber-security game because it absolutely i sa security disaster waiting to happen.

        But good on them for not using windows; it's the first step towards a more secure future.

  2. Marketing Hack Silver badge
    Facepalm

    So over 80 million JP Morgan customers had their data hacked....

    And we have to find out from an SEC filing? Isn't JP Morgan required to notify all these people before the SEC is told? And isn't it a little rich that JP Morgan says that customers won't be liable for any related financial losses as long as they let JP Morgan know about the transactions promptly--and then JP Morgan does not promptly let these customers know that they might be at risk and should be on the lookout?

    Oh well, it was getting to be time to sell my shares in JPM anyway.

  3. channel extended

    Scary Math.

    The question is how big is JPM? A breach of 76 million is about one quarter of the US and I dont think 1 out of 4 people bank there if we include business it is smaller.

    So how many were international? How many individual? How many dusiness? How Many?

    1. Marketing Hack Silver badge
      Boffin

      Re: Scary Math.

      JPMorgan is as big as a bank gets. Any bigger and they would have their own currency!

      From the first paragraph of the Wikipedia article on JPM. It's Wikipedia, so this may or may not be complete bullshit :) (But it's not)

      "JPMorgan Chase & Co. is an American multinational banking and financial services holding company. It is the largest bank in the United States, with total assets of US$2.515 trillion. It is a major provider of financial services, and according to Forbes magazine is the world's third largest public company based on a composite ranking.[4] The hedge fund unit of JPMorgan Chase is the second largest hedge fund in the United States.[5] The company was formed in 2000, when Chase Manhattan Corporation merged with J.P. Morgan & Co.[6]"

      The good news for those of you who are overseas is that this looks a lot like their retail clientele got hacked, so probably far fewer parties outside the U.S. are at risk than might have otherwise been the case.

  4. DougS Silver badge

    Zero day flaw? Shell shocked, perhaps?

    I wouldn't be surprised if there wasn't a CGI script somewhere in Chase's systems.

  5. Anonymous Coward
    Anonymous Coward

    Old java

    I think they liked you to use old java, this new stuff is so, oh akward and stuff, just use old versions it's OK.

    Pretty sure that was one of the issues back along and I saw many wierd website issue that had the hackles rising despite nothing coming up on average joe's security checking methods or AV software (other than "you have to be mad to use an old version of java" obv.)

  6. Anonymous Coward
    Anonymous Coward

    An absolute disgrace

    Hacking a public facing Web site should never result in the hacker burying their way deeper in to their network. It certainly shouldn't lead to bring able to rip off sensitive info like this off databases.

    What is even worse is the secrecy so that they can protect their almighty dollar whilst leaving thier customers hung out to dry.

    Utter Bastards!

  7. Anonymous Coward
    Anonymous Coward

    Where do/did stuff like PCI rules and audits fit into this picture?

    As title. Naive question from outside observer follows, please be gentle(ish).

    Is PCI focused purely on retailers and merchants, is there an equivalent for other parts of the financial "services" industry? A company that operates a card business (as JPM did) does or doesn't have to follow PCI standards in related other parts of the business?

    Are they just a useless waste of space and money?

    https://www.pcisecuritystandards.org/financial_institutions/ says

    The major global payment brands require that every entity -- including financial institutions as well as merchants and service providers -- that stores, processes, or transmits payment card data, in every channel – including catalog and online retailers as well as brick-and-mortar businesses -- must be in compliance with the PCI Data Security Standard (PCI DSS).

    Though the payment brands themselves determine, validate and enforce their PCI DSS compliance and reporting requirements, the PCI Security Standards Council provides a broad range of education, information and other resources on this website to assist with compliance efforts for your organization, your merchants, and your service provider partners.

    1. Anonymous Coward
      Anonymous Coward

      Re: Where do/did stuff like PCI rules and audits fit into this picture?

      They're a card issuer. As far as the PCI DSS is concerned, only in the last couple of revisions have they made any distinction between merchants and processors. The early versions simply assumed you were using tn3270 on Windows XP, on the client side, connecting to z/OS running on an IBM mainframe, on the server side. Their recent changes, to me, mean that somebody, other than E, M, & V have had a hand in the standard.

      just my two cents.

    2. kellerr13

      Re: Where do/did stuff like PCI rules and audits fit into this picture?

      Haven't you heard? They are too big to fail, so the PCI rules don't apply to them.

      The law must be binding on everyone, high and low, or there not laws at all. If the banks don't and they are not held accountable, then we don't recognize those rules either, and we would expect any "fines" to be exactly perportional.

    3. Trevor_Pott Gold badge

      Re: Where do/did stuff like PCI rules and audits fit into this picture?

      Understand that there is nothing in the PCI/DSS certification standards that would prevent a determined and well resourced (especially state resourced) attacker from penetrating a given site. It isn't what you think it is. It certainly isn't security standard of a class to keep out former KGB officers in the Russian mob.

      I agree that a bank that big should have better security, but strict adherence to PCI/DSS wouldn't stop things. You need way better security than a few tickboxes and some checklists.

  8. Anonymous Coward
    Anonymous Coward

    More lies

    They and many other banks have been saying for years that our data is encrypted, yet somehow it was exposed.

    It's reasons like this that us conspiracy theorist do not believe any of their nonsense propaganda.

    But for all of you who think I'm just a nut, you go right on believing whatever you are told by the banks and corporations and government. Everything is fine, your kids are fine, your dog is fine, and there is another ball game on TV.

    1. Anonymous Coward
      Anonymous Coward

      Re: More lies

      "Think, McFly!"

      Data encryption is fine for 'data at rest' (steal the harddisk, you can't read the data), and for 'data in transit' (sniff the network, you can't read the data), but the _application_ needs to be able to get at the encrypted data (e.g. how could JPM email you account alerts if the app can't get the email address; how can your credit card statement be sent to your home if the app can not access your home address; how can the web site show you your recent transactions if the app can not see your transaction history).

      If the vulnerabiluty is in the app then it can be used to decrypt the data.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019