JPMorgan’s disclosure that hackers compromised the data of more than 76 million of its consumer patrons — and 7 million small business clients — may seem stunning.
But it reflects just a sliver of the withering bombardment the U.S. financial services sector has endured for at least the past three years.
Criminals go where the money is. And in this case, the most sophisticated, well-funded and determined cyber attackers have been relentlessly hammering on banks, fund managers, brokerage houses, stock exchanges and the like since at least 2011.
These cyber attacks against America’s financial infrastructure are sophisticated, well-funded and highly-coordinated. The motive: simple greed, but also ideological fervor – and sometimes both. This is not something the financial sector cares to discuss publicly.
But make no mistake. Wall Street is expending enormous resources just to keep the attackers mostly in check. The result is that disclosures of major breaches, like the one JPMorgan was compelled to reveal in this terse SEC filing, occur only sporadically.
Most breaches sooner or later get discovered and then get mitigated as quietly as possible. The good guys win some and lose some. The attackers rarely ease up. Meanwhile, cyber forensics firms Mandiant, Kroll, Stroz Friedberg and FTI Consulting find themselves booked solid with Wall Street clients, a source who works in the field recently told ThirdCertainty.
Why is this happening? In a larger sense, this is occurring because tech companies, telecoms, media giants, retailers, the banking sector and now even car makers and refrigerator makers continue to push more and more commerce into the Internet cloud and onto mobile devices.
The Internet was never meant to handle secure transactions, nor preserve an individual’s privacy. Our rush to leverage the Internet for legit commerce has spawned marginally ethical business ventures while also creating vast criminal opportunities.
The irony is that organized crime rings and nation state spies are proving more efficient and innovative at leveraging the Internet than the good guys.
“The cyber security landscape is so fraught with apathy, incompetence and improper and incorrect implementations of a security posture that these breaches just continue to happen,” says Paul Ferguson, director of threat intelligence at network monitoring firm Internet Identity. “People are becoming numb and conditioned to not even really notice anymore, and that’s dangerous.”
Not only are we getting numb, our collective memory is getting shorter. JPMorgan’s 8K filing raises more questions than it answers. And the core questions are sounding awfully familiar.
Was this a case of hacking for criminal profit, or was it more of a nation state, strategic warfare attack?
In February 2011, Nasdaq disclosed “suspicious files” were found lurking on a server supporting Nasdaq’s Directors Desk, a cloud-based collaboration service for company board members and senior executives. Little more was ever said. But think of the possibilities. It has been speculated, but never confirmed, that those hackers must have grabbed insider information and probably used it to game the market.
Starting in September 2012 and continuing into early 2013, the Iranian hacking collective — Cyber Fighters of Izz ad-Din al-Qassam — carried out wave after wave of denial of service attacks that overwhelmed the expensive security systems of U.S. financial companies.
Knocked offline at various times were Bank of America, Charles Schwab & Co., American Express, Wells Fargo, JP Morgan Chase, Citibank and SunTrust. U.S. Sen. Joe Lieberman, I-Conn., accused Iran of targeting the American financial system in retaliation for U.S. sanctions on Iran intended to deter that nation’s nuclear program.
Then in mid 2013, a copycat group of profit-minded hackers conducted denial of service attacks against certain U.S. banks as a smoke screen to divert attention while they executed an Ocean’s 11-style wire transfer fraud, according to Gartner banking security analyst Avivah Litan.
Not long after that, in August 2013, brokerage giant Goldman Sachs reported a startling Internet-related glitch that set incorrect price limits and selling algorithms affecting contracts for companies such as JPMorgan Chase, Johnson & Johnson and Kellogg Co.
Less than 48 hours after Goldman Sach’s glitch, Nasdaq reported an outage that had all the earmarks of the wave of denial of service attacks that plagued the U.S. banks a few months earlier, according to Reuters.
Roel Schouwenberg, a senior researcher at Kaspersky Lab, told me at the time that it was “definitely possible” both events were criminally orchestrated. “It could either be an operation which is financially motivated or an operation which is aimed at sabotage,” Schouwenberg told me. “However, this is speculation. These could all just be glitches of sorts, but the timing is definitely strange.”
Small Businesses at Risk
The one new wrinkle that pops out of JPMorgan’s latest disclosure is the loss of data for 7 million small business accounts. What will the data thieves do with that information?
Small business owners are particularly vulnerable. They do not enjoy the same banking protections as consumers. JPMorgan is under no obligation to make small business customers whole in cases of fraud.
The bank can invoke an obscure section of something called the Uniform Commercial Code. UCCs are state laws governing commercial contracts, which banks helped draft. It limits liability in delivering online services to businesses if certain safeguards are in place. Consumers are protected by federal laws that limit their fraud losses in most cases to $50. But small businesses are left out on the limb. So it remains to be seen how much any of JPMorgan’s 7 million small business account holders will suffer from this breach.
Cyberrobbers have been intensely targeting small businesses, local governments, school districts, churches and nonprofits for Internet-enabled wire fraud since the mid-2000s. Internet-enabled ACH and wire transfer fraud reached a frenzied pitch, so much so, that the FBI, which is usually reticent to discuss bank losses or even acknowledge ongoing cases, actually went public about the scale of the attacks to bring attention to the problem.
The FBI disclosed that it investigated more than 200 cases, mostly in 2008 and 2009, in which cyber-robbers executed fraudulent transfers totaling about $100 million and successfully made off with $40 million. Not much has been publicly discussed about this attack vector since then, and better defenses generally are in place. But criminals continually refine attacks, especially when the potential payday is lucrative.
“I would imagine that JPMC will make right any small business fraud losses due to this breach,” Ferguson says. “The real impact here is to their brand identity, and the ability to retain business from those impacted, as well as attract new business.”
This story is an Op/Ed contribution to Credit.com and does not necessarily represent the views of the company or its partners.
More on Identity Theft:
- Identity Theft: What You Need to Know
- How Can You Tell If Your Identity Has Been Stolen?
- How Credit Impacts Your Day-to-Day Life