JPMorgan breach raises alarm about safety of financial system
|
Version 0 of 1. The hackers who orchestrated the massive cyberattacks on JPMorgan Chase this summer appeared to target far more than mere consumer data, sparking concern among government and industry officials of whether the ultimate aim was to disrupt Wall Street itself, people familiar with the investigation of the incident said. The recent cyberattacks against Home Depot, Target and other retailers were akin to a jewelry store heist. The apparent thieves broke in, took as many credit card numbers as quickly as possible and then got out. In the case of JPMorgan, hackers got access to a massive number of accounts — 83 million households and businesses. But security experts and officials are more concerned that the attackers lingered in the system and returned at least five times to see how far they could penetrate the financial giant’s internal networks, which are generally thought to be among the most secure in corporate America, said people with knowledge of the attack who were not authorized to speak publicly. That behavior indicates something more nefarious than a simple robbery. Ultimately, the hackers appeared to cull only e-mail and physical addresses of customers, the bank has said. But the attack has raised alarms in Washington, New York and beyond, given Wall Street’s critical place in the U.S. economy. The bank houses a wide range of sensitive financial information that in the wrong hands could create havoc. “Knowing that someone is trying to gather intelligence about one of the largest operators in our financial system is disconcerting,” said Chester Wisniewski, a senior adviser for Sophos, a security software vendor. “If this happens at Citibank, Bank of America or other banks, it could be a very destabilizing force to the American economy.” With the right level of access into the networks of key Wall Street firms, hackers could disrupt the financial markets, consumer advocates say. “Their goal could have been mayhem, not just cash,” Ed Mierzwinski, consumer program director at U.S. PIRG, said about the JPMorgan breach. “We’ve built a lot of protections into our banking system, but I’m not sure that we’ve really thought through all of the risks today and whether we’ve done enough.” Compared with the rest of corporate America, financial firms have enjoyed a reputation of being good at thwarting major network assaults because of their heavy investment in security. JPMorgan alone boasted of spending $250 million a year on its defenses prior to the recent attack. The financial industry is projected to spend as much as $2,500 per employee on cybersecurity this year, compared with the $400 per worker invested by retail and consumer product businesses, according to PricewaterhouseCoopers. “Everybody is pretty terrible at cybersecurity, but financial firms and defense contractors have it together the most,” said Wisniewski, the Sophos adviser. “When you consider the size of the targets painted on their backs, the one or two incidents that you’ve heard about implies that they are doing a really good job, because you can imagine how many people are trying to steal their information.” That’s not to say that Wall Street has been immune to cybercrime. Two years ago, hackers commandeered servers at several big banks, including Wells Fargo, Bank of America and JPMorgan, shutting down Web sites for hours at a time and disrupting customer transactions. A year earlier, Citigroup was the victim of an attack that affected the credit card accounts of more than 360,000 customers. “This isn’t our first rodeo,” said Doug Johnson, senior vice president of risk management policy at American Bankers Association, a trade group. “The information sharing across the sector has helped other institutions know what these attacks look like for them to be on alert.” Yet none of those earlier attacks seemed to involve the same level of infiltration into the banks’ networks as the JPMorgan intrusion. Hackers accessed the bank’s system in June, making several additional attempts to collect data until the bank caught wind of the attacks in August, the people said. They hit more than 90 servers over the course of the intrusion. People close to the investigation said the hackers obtained and found vulnerabilities in a partial list of JPMorgan’s open source applications — software programs that are shared among firms and are commonly used within cybersecurity circles. “The level of what hackers did at retailers was not rocket science, but getting into the country’s biggest bank raises consumer confidence questions. Are people going to start putting their money under a mattress?” Mierzwinski said. The severity of the threat of continued attacks on the nation’s financial giants has not been lost on regulators and law enforcement. Benjamin M. Lawsky, head of New York’s Department of Financial Services, has been in discussions with JPMorgan and other banks about the urgency of tightening cybersecurity measures. Meanwhile, the FBI and Secret Service are working with JPMorgan to piece together what happened at the bank and “determine the scope of the attacks.” |