3 Risk Management Lessons From JP Morgan Chase Breach

Recently the New York Times and Wall Street Journal broke the story of how exactly the security team at JP Morgan Chase managed to find the breach this summer that exposed contact information for more than 83 million U.S. households and small businesses. It turns out that after following a breadcrumb trail from outside security research, more than a billion stolen passwords were held by Russian criminals. After finding that username-password combos from a corporate fun run website sponsored by the bank were included in that repository, they were able to pinpoint a source of compromise for that website, only to find that the trail of clues led them to a bigger problem. It appeared that the offshore servers hacking that website had also attacked the bank itself.

Looking even deeper into the unfolding of this Chase breach saga, I believe there are actually a number of additional lessons that security and risk managers can learn.

1. Third-party relationships always carry risks

According to Chase, the breach of the JP Morgan Corporate Challenge race website did not directly lead to the compromise of the bank’s internal assets. But I believe that the linkages between the two are hardly coincidental. As attackers seek out large caches of sensitive data from big targets like a multinational bank, they’re increasingly looking for side doors into corporate networks. And they often find them through third-party vendors and partners. It’s probable that the compromise of the race website was a probe designed to allow attackers’ hooks into the more valuable bank information.

2. Segregation of data can drastically cut risk

It can be really easy for security experts to cast stones at one another when big breaches like this hit the news. But I think that in some ways Chase deserves a pat on the back for this incident because it showed how solid security practices can reduce risk. While there were a lot of customers affected by the breach, Chase appears to have done a great job of properly classifying and segregating its data. The attackers’ access to data was limited to lower-risk data such as contact information. They did not get their hands on other telling information such as social security numbers or account numbers.

3. Stolen contact information has intrinsic value

The extent of the theft of disparate information (contact information, etc.) illustrates that while it is lower risk information, it still has intrinsic value to attackers. This information has the potential to be leveraged for other types of attacks, specifically phishing emails and physical mail. Attackers know these people are Chase customers and can use that knowledge against them with attempts to extract more information.

As I shared with USA Today last month, with so much effort made to break into Chase through any means necessary, this is the act of a persistent attacker. And persistence like this with no stolen money could indicate a future planned operation or plans to use the data in question for other means. For example, an attacker can track down a person of interest by observing financial transaction locations, plan an attack when a competitor is going to wire funds to close a deal, or execute any other thought-out plan of attack you would see on the TV show “Blacklist.”