A securities filing on Thursday revealed that up to 76 million households and seven million small businesses, far more than initially thought, were implicated in the cyber attack that hit JPMorgan Chase over the summer, making it one of the largest data breaches in U.S. history.
The New York-based bank confirmed in a Form 8-K filing with the Securities and Exchange Commission that user contact information – names, addresses, phone numbers and email addresses – were compromised but at this point it doesn’t believe account numbers, passwords, user IDs, dates of birth or Social Security numbers are at risk.
The numbers far exceed initial estimates from this past summer that projected only one million accounts were affected.
Rumors of a potential data breach at the company surfaced in late August when word got out that the F.B.I. was working with the U.S. Secret Service to probe a “computer-hacking attack” at several American financial institutions.
In the disclosure, which was also published on Chase.com and JPMorganOnline.com, the company goes on to claim that it hasn’t seen any unusual customer fraud stemming from the incident just yet but that it plans to vigilantly monitor the situation going forward.
In the attack hackers penetrated more than 90 of JP Morgan’s servers for short periods of time over the course of two months, from mid-June to mid-August, according to reports from the Wall Street Journal and the New York Times that cite people familiar with the matter. After it learned of the attack in mid-August it stopped it and closed all access points.
Both reports claim the attacks originated from overseas but the Wall Street Journal’s source in particular suspects a possible Russian or Eastern European link “based on the style of attacks and the bank target.”
The massive breach adds fire to the flame that is woeful modern day consumer data security, following in the footsteps of the Target breach, which compromised 40 million cards in December and this summer’s Home Depot breach, which impacted 56 million cards.
While JP Morgan was quick to stress to customers that no money was stolen in the attack, experts claim that shouldn’t entirely assuage their fears.
“The apparent stealthiness of the breach at JPMC is notable,” Dr. Mike Lloyd, the CTO of RedSeal Networks said Thursday, “Theft of information, without any known theft of money, it’s a reminder than criminals value information highly.”
Lloyd of course is referring to the fact that attackers could easily use the information lifted from JP Morgan’s servers to craft phishing attacks, pretending to be the company later down the line to ask for the victims’ credentials.
“Attackers took full control of millions of personal and business accounts – meaning that they could transfer funds, disclose information, close accounts, and do whatever they want to the data,” Jeff Williams, the CTO of Contrast Security, also said yesterday.
“This isn’t just a normal privacy breach, this is the real deal.”