In 2014, JP Morgan Chase Bank experienced a data breach whereby 83 million customer accounts were compromised in what was deemed as the largest data breach in America. The hack affected 76 million American households, which were approximated to be 67 percent of the total households in America. The attack, announced in the month of September, was uncovered by the bank’s cyber security team in July 2014, but was not contained till mid-August. The hackers stole customers’ names, postal addresses, phone numbers, and email addresses. It was reported that other personal information such as login details, social security numbers, and passwords were not compromised during the attack (McGee par.2). This paper explores the JP Morgan Chase Bank Hack, its ramifications, and what can be done to prevent such incidents in the future.
Following the attack, three individuals were accused and indicted for the crime. The three hackers were Gery Shalon, Joshua Samuel Aaron, and Zic Orenstein. The charges brought against the attackers included twenty-three counts of identity theft, unauthorized access to computers, money laundering, and securities and wire frauds. Also, the three hackers were charged for attacking other businesses such as six financial institutions, online stock brokers, financial news sites, and software companies. These included Dow Jones, ETrade, and Scottrade. Apart from stealing personal data, the hackers also engaged in other cybercrimes such as stock pumping and manipulating online gambling platforms for financial gains (Zetter par.6).
The attackers used several techniques to breach the JP Morgan’s security, such as brute-force attacks and social engineering. One of the hackers, Joshua Samuel Aaron, at one time tricked a customer to provide his login details. He then proceeded to use the customers’ platform to locate and attack the customers’ database in the banking system. The tactic that the hackers widely applied is known as the Heartbleed Vulnerability. According to McMillan, Heartbleed is a bug inside the code of an update for an internet protocol known as OpenSSL (par.4). The bug was inadvertently introduced into the internet at the beginning of 2012 and since then it has wreaked havoc for internet companies. Over the years, Heartbleed has been used by cyber criminals to steal passwords and other sensitive data.
Following the attack, the bank’s public relations department faced a lot of challenges. For example, it was difficult for the bank to convince its clients that their money and personal data were safe. The hack harmed the bank’s image in a big way, and it will take years and a lot of resources to rebuild. Also, the clients whose information was stolen are at the risk of falling prey to phishing schemes or identity theft. In addition, the hack went undetected for a long time and by then, the hackers had infiltrated deep into the computer systems and had gained administration control over the servers. This forced the bank to change its computing system and renegotiate for better protection with its software providers.
Several strategies can be used to protect the customers’ data in big institutions such as JP Morgan Chase Bank. For example, the CIO of the company can systematically and consistently classify the customer data and define the controls that should be used to handle and safeguard each data category. Such categories should include sensitive data, general, and public information. Also, each data category should be accorded appropriate protection depending on its importance and sensitivity (Lord par.7).
Sensitive data, especially that which can be used in identifying customers or that which can be exploited by theft or phishing schemes, should be protected by encryption. The data should be encrypted at all stages in the network, such as during transit and rest. Also, the company should put in place technical controls to ensure that the encryption policy is implemented. In addition, data protection strategies should incorporate relevant cyber security concepts, such as customer education, to protect unwary customers from falling prey to social engineering schemes. Furthermore, the company should avoid over-reliance on protection systems in safeguarding its data from attacks. This can be achieved by instituting a team that continuously checks for compliance with the security policies, upgrades data protection systems, and monitors the computers systems for hacker intrusions (Lord par.10).
Cyber security is an important practice in business as it safeguards against cyber-attacks. Any business can fall victim to computer hacking regardless of the level of security used for data protection. Theft of sensitive data by hackers can lead to the collapse of business or embarrass the management and the customers if such information is made public. However, companies can protect themselves from hackers by classifying data into categories and ensuring that the most sensitive data category receives maximum protection. Also, the company CIO should keep abreast with changing cyber security trends and constantly check the system for possible hacker activity.
Works Cited
Lord, Nate “An Expert Guide to Securing Sensitive Data: 34 Experts Reveal the Biggest Mistakes Companies Make with Data Security.” Digital Guardian. Digital Guardian, 12 January 2016. Web. 2 March 2016.
McGee, Suzanne. “JP Morgan data breach: how long can banks live in denial over cyber threats?” The Guardian. Guardian News and Media Limited, 3 Oct. 2014. Web. 2 March 2016.
McMillan, Robert. “How Heartbleed Broke the Internet — And Why It Can Happen Again.” Wired. Wired, 4 Nov. 2014. Web. 2 March 2016.
Zetter, Kim. “Four Indicted in Massive JP Morgan Chase Hack.” Wired. Wired, 11 Oct. 2015. Web. 2 March 2016.