As JPMorgan Chase issued an apology to customers and acknowledges that the data breach discovered this summer lasted much longer and affected more customers than previously believed, serious questions—that industry insiders say require immediate answers—are being posed about how the breach could have gone undetected for so long.
While the financial institution assured customers “there is no evidence” that account numbers, passwords, Social Security numbers, user IDs and other sensitive information was compromised, having 76 million household and seven million small business accounts affected, as the bank's filing with the SEC indicated, lands Chase among the unenviable ranks of companies that have hosted the largest breaches to date. Most troubling, though, is that at a vigilant firm could suffer a sustained event with such sweeping and broad implications.
“I am sure [Chase has] plenty of security; I am sure they used every trick in the books to stay safe; I am sure they take security very seriously because they are a financial institution, the largest financial institution in the US, and they know they are a target,” Pierluigi Stella, CTO, Network Box USA, said in an email statement sent to SCMagazine.com Friday. “So, how did this happen?”
After all, as Stella pointed out, slipping past security at a company like Chase takes some effort…and resources.
“Contact information for 76 million families and seven million businesses. Assume that is name, address, phone number; should we assume an allocated 100 bytes each? That makes it 8.3 billion bytes or 66.4 Giga Bytes,” he said. “Hackers don't use large pipes, though they may be using multiple sources of attack. To transfer that much data takes time – a lot of time.”
More troubling, the Chase breach reflects an ongoing issue in the way organizations typically detect, resolve and mitigate breaches, industry experts said.
Since “user identity [was] the main vehicle of attack” a la Target and Home Depot, Idan Tendler, CEO at Fortscale, told SCMagazine.com in Friday email correspondence that “once an attack bypasses the perimeter security, traditional or advanced, the hacker will make significant efforts to hijack legitimate, low level, user credentials.” From there, “it will be very difficult to identify this malicious yet stealthy behavior,” he said.
In an email correspondence with SCMagazine.com, Rajesh Goel, CTO at Brainlink International, Inc., laid partial blame on software and security vendors that he called “a HINDERANCE to security, not an asset.” Each vendor, he explained, “has their own quirks, their own log formats, their own training, and the defenders are drowning in point solutions.”
Goel also took the software industry to task for selling software with bugs. “The software industry does NOT have to comply with the same consumer protection laws as everyone else,” he said. “Software vendors however, keep shipping insecure, buggy hardware and software, with no real thought to security. Software should be held to the same standards as airplanes, cars, food and water. It IS that important to our well being and society.”