Flaw in single server opened door to record bank cyber-heist
A single mis-configured server has been identified as the attack vector in the historic breach that saw the still-unidentified culprits steal information belonging to 83 million JPMorgan Chase & Co. customers over the summer, according to The New York Times. The revelation brings to light the challenges of fully protecting sprawling corporate networks in the era of sprawling networks.
The banking giant’s $250 million cyber defense budget – which may soon double as a result of the incident – apparently wasn’t enough to compensate for one small crack in the wall that hackers used to slip inside.
Unnamed insiders who spoke with the Times revealed that JPMorgan Chase’s IT department apparently neglected to secure the machine used in the attack with two-factor authentication, a security technique commonly used in financial services that requires a user to enter a second set of log-in credentials or respond to a challenge before gaining access.
That allowed the hackers to gain access using stolen credentials of an employee. From there, it penetrated 93 other internal servers and made off with contact information belonging to some 76 million households and seven million small businesses.
The bank only became suspicious several months after the fact when a low-key consultancy called Hold Security uncovered a stash of roughly a billion illicitly-obtained usernames and passwords in late July that had been pilfered by a gang of Russian hackers. The trove included a certificate for the website that JPMorgan Chase uses to organize its annual employee sporting event, which led to a review of internal infrastructure.
Sure enough, the Wall Street giant discovered that the same hackers who compromised the public-facing sporting portal also gained access to its sensitive back-end systems. The attackers were caught before they could put their hands on any critical financial data, but by that time, tens of millions of customer contact records had already been compromised. It was the largest cyberheist to hit an American bank to date.
The revelation comes just a few weeks after Alibaba Group Holding Ltd. had a close brush with an equally simple but potentially just as disastrous vulnerably that could have exposed tens of millions of users on its business-to-consumer wholesale marketplace to account theft. Luckily, however, the e-commerce giant received a well-time warning from a pair of security researchers and issued a patch before the black hat community caught on. The two incidents provide a powerful lesson in the importance of not cutting corners on security, especially when it comes to the seemingly most trivial details.
Photo via Pixabay
A message from John Furrier, co-founder of SiliconANGLE:
Support our mission to keep content open and free by engaging with theCUBE community. Join theCUBE’s Alumni Trust Network, where technology leaders connect, share intelligence and create opportunities.
- 15M+ viewers of theCUBE videos, powering conversations across AI, cloud, cybersecurity and more
- 11.4k+ theCUBE alumni — Connect with more than 11,400 tech and business leaders shaping the future through a unique trusted-based network.
About SiliconANGLE Media
SiliconANGLE Media is a recognized leader in digital media innovation, uniting breakthrough technology, strategic insights and real-time audience engagement. As the parent company of SiliconANGLE, theCUBE Network, theCUBE Research, CUBE365, theCUBE AI and theCUBE SuperStudios — with flagship locations in Silicon Valley and the New York Stock Exchange — SiliconANGLE Media operates at the intersection of media, technology and AI.
Founded by tech visionaries John Furrier and Dave Vellante, SiliconANGLE Media has built a dynamic ecosystem of industry-leading digital media brands that reach 15+ million elite tech professionals. Our new proprietary theCUBE AI Video Cloud is breaking ground in audience interaction, leveraging theCUBEai.com neural network to help technology companies make data-driven decisions and stay at the forefront of industry conversations.
