
JPMorgan Says Data Breach Affected 76M Households - anigbrowl
http://www.bloomberg.com/news/2014-10-02/jpmorgan-says-data-breach-affected-76-million-households.html
======
pcarolan
The real losers when this happens are the small businesses and nonprofits with
recurring payments that have to contact their customers and ask them to
reenter their new credit cards after they are replaced. Even in the best case,
they're probably out a months revenue which can make or break a company.

~~~
pantaloons
If reminding customers that they are actually making recurring payments to a
company causes that company to go out of business, I don't think we need to
shed any tears.

~~~
noir_lord
I think he meant that a sudden huge drop in recurring revenue out the blue can
sink a small business while it's getting established.

I could see that.

------
apayan
The amount of private data about individuals that JP Morgan has makes it a
very attractive target to attackers despite any difficulty (perceived or real)
it takes to get the data.

Extending that logic, it means the NSA is an even more worthwhile target for
attackers, because they have far more private financial data about individuals
in the USA and people abroad. But you can bet that when (not if) a breach of
the NSA happens, it will never be reported to the public.

The only solution here is to do away with these centralized stores of all our
private and financial information, so the incentive for these attacks no
longer exist. There's no amount of technological hardening that will prevent a
determined attacker (state sponsored or otherwise) to give up, when the reward
for a successful attack is so high. Until then, reports of massive data
breaches are going to be more and more common.

~~~
mertd
What kind of decentralized storage are you proposing? How should a bank keep
track of costumer accounts?

~~~
anthony_d
I think he was suggesting everyone stores the minimum of what they need to
function. No more, no less.

~~~
valdiorn
The minimum of what a bank needs to operate includes your phone and contact
details, social security number, your financial account number, your credit
card number and your credit rating, for sure? Because, you know... they
provide many of those number to you!

------
jabagawee
There are approximately 115M households in the US [1], so does this mean that
two of every three households is affected by this data breach? If so, why
isn't there more panic?

[1]:
[http://quickfacts.census.gov/qfd/states/00000.html](http://quickfacts.census.gov/qfd/states/00000.html)

~~~
ForHackernews
Because nobody will be liable. If there's fraud on my credit card, I just
phone Chase and they'll reverse the charges. In the scheme of daily
irritations, this ranks well below a parking ticket.

~~~
colinbartlett
Your not wrong.

Especially if you have been through it before, the apparatus for handling
fraud, reversing it, and cleaning things up is so tight that it's hardly even
distressing anymore. The biggest annoyance would be updating any recurring
payments from that card.

Which got me thinking: How much of my bank fees are spent on fraud prevention
and clean up? How much cheaper could credit card processing and banking in
general be if banks didn't need to spend BILLIONS of dollars in
infrastructure, procedures, and automation to make these fraud cases go so
smoothly?

~~~
emodendroket
The sticking point is that banks don't want to invest in a new system unless
they can shift liability to the consumer, which is unpopular for very good
reasons.

------
fragsworth
Nobody is really addressing the root of the problem here - that credit card
security is a total joke.

The way the credit card system works is we all send the keys to our accounts
in _plain text_ , and then store it in _plain text_.

Rather than come up with a more secure means of payment, the credit card
companies force every customer to check every monthly bill on every credit
card to make sure none of it was fraudulent, and somehow this is more
"convenient" than using a secure method for payment.

~~~
teddyh
The credit card number is _both_ your public key _and_ your private key:
[http://www.icanbarelydraw.com/comic/2702](http://www.icanbarelydraw.com/comic/2702)

Related:

“ _Vandalism By Design_ ”

[http://www.icanbarelydraw.com/comic/2570](http://www.icanbarelydraw.com/comic/2570)

[http://www.icanbarelydraw.com/comic/2574](http://www.icanbarelydraw.com/comic/2574)

[http://www.icanbarelydraw.com/comic/2674](http://www.icanbarelydraw.com/comic/2674)

“ _Should We Accept Dollars?_ ”

[http://www.icanbarelydraw.com/comic/2565](http://www.icanbarelydraw.com/comic/2565)

[http://www.icanbarelydraw.com/comic/2697](http://www.icanbarelydraw.com/comic/2697)

[http://www.icanbarelydraw.com/comic/2706](http://www.icanbarelydraw.com/comic/2706)

------
zmmmmm
It seems odd to quantify this by "households". Is this normal? Per Wikipedia
there are only 117m households in the US. So they are basically saying close
enough to everybody. But then I am surprised that JP Morgan even has that
percentage of US households as customers in the first place!

~~~
erichurkman
Don't forget all of the acquisition activity over the last ten years.
Providian was bought by Washington Mutual, which was taken over by JP Morgan.
Add to that BankOne from the early 2000s, Bear Stearns, several other regional
banks, and their massive student lending network and it's not unbelievable
that they reach so many "households" even those households don't bank directly
with Chase.

------
anigbrowl
I apologize for this thread being slightly duplicative of another submission.

One thing which jumped out at me from this story but was not mentioned in
others was that the attacks had been traced back to servers in a Russian data
center. I wonder if and how we can distinguish between:

\- Criminal hackers exploiting lax or less capable Russian law enforcement, or

\- Criminal hackers operating with the studious indifference or tacit
acceptance by Russian law enforcement, or

\- State-sponsored espionage expressing a retaliatory or threatening posture
in response to western sanctions against Russia.

It's very hard (as a consumer) to gauge whether the main problem here is
corporate negligence, very well-supported attacks, or excess organizational
size and complexity...or some combination of these 3 factors.

~~~
tpurves
There is a third option. Domestic hackers who route all their attacks through
places like Russia or China for the ease of deflecting suspicion/blame.

~~~
TeMPOraL
This is important. It's all too easy to route and obfuscate your trafic so
that it appears to come from anywhere in the world you want. Given that, for
example, the US already officially declared that they will respond militarily
to a sufficiently annoying cyberattack, and that is rumoured[0] to include
going (literally) nuclear, people in power should _really_ remember that just
because a cyberattack seems to originate from country X, doesn't mean country
X is in any way involved.

[0] - I _think_ I saw something implying this in official statements, though I
can't find any good source that would confirm it right now; however the idea
was discussed in media.

------
iamleppert
I think what should happen is there should be laws that place sanctions on
these companies for negligence in failure to secure their systems. That money
should then go into a fund to provide security monitoring and
consulting/auditing services for these businesses, retribution for those who
have suffered losses due to the breaches. They clearly can't get it together
and there needs to start being punishments (fine/jail) for the IT executives
responsible. I hate to approach a problem with more regulation, but market
forces haven't been working. I think there should be at the minimum threat of
personal consequences for the executives if it is found they were negligent in
their duties in any way to provide reasonable security for their systems, and
to have processes in place to review code to ensure it does not have blatant
security issues.

~~~
SoftwareMaven
This is a horrible idea. It will immediately stifle all innovation in
software. The only laws I would be in favor of are required transparency laws
where you have to report all breaches with serious fines/jail for failure to
comply.

The market will quickly sort things out if it has the appropriate information.
People can then decide what privacy is valuable for themselves.

~~~
anigbrowl
_The only laws I would be in favor of are required transparency laws where you
have to report all breaches with serious fines /jail for failure to comply._

This is already the case. The information comes from JPM's (mandatory) SEC
filings. I forget the time frame but stuff like this (information that could
reasonably be expected to have a material impact on the stock price) has to be
reported within a pretty narrow window of becoming known to management, like
72 hours or so.

 _The market will quickly sort things out if it has the appropriate
information._

By all appearances the opposite is true. I mean, where do you move your
business to? I have no idea which is the most secure bank, only which ones
have so far discovered and reported breaches. Neither Target nor Home Depot
seem to have been punished very severely by the market if their stock prices
are anything to go by.

~~~
SoftwareMaven
What was the actual information taken? How was the breach perpetrated? Two
pretty big pieces of information we are missing. There may also be daily
breaches that aren't significant enough to impact earnings that we never hear
about.

No, we do not have any kind of transparency.

The second issue (where do I go?) can't be worked out at all until we have
some idea of "where do I really not want to be?"

~~~
anigbrowl
First you said you wanted a report of all breaches, now you're asking for the
investigation to be run in public - rather a massive move of the goalposts.
Without expressing any sympathy for the banks, I'm having trouble thinking of
any business that would be willing or even able to do business under such
conditions.

~~~
SoftwareMaven
No, what I'm saying is that we don't have transparency in the reports. All we
get is "something happened", with very few details of what "something" is. My
goalposts never moved; only your interpretation of them.

Would you not agree that a data breach brought on by a disgruntled employee
selling records is materially different than the same data breach caused by
failure to patch systems? I don't care about the investigation (where did you
get any implication I think investigations should be public); I care about the
results.

~~~
enraged_camel
This sentence:

>>Would you not agree that a data breach brought on by a disgruntled employee
selling records is materially different than the same data breach caused by
failure to patch systems?

Directly contradicts this one:

>>I don't care about the investigation (where did you get any implication I
think investigations should be public); I care about the results.

The result is that people's credit card information got stolen. The
investigation and the details -- i.e. whether it was an internal or external
breach -- are not relevant to me as the customer.

~~~
SoftwareMaven
Perhaps you have a different definition of investigation than I do. I see the
investigation as the active bit where you are talking to people, looking
through logs, trying to figure out what happened. At the end of that, you
would have a report that said "this is what happened: this is the data that
was lost and this is how it was done". That doesn't imply that every interview
and every log file gets published.

Of course there is going to be some level of sanitization, but today we get no
information beyond "we lost a bunch of data" (oh, look, they told us names,
address, email, "and other information used to categorize customers", whatever
_that_ means).

If you decide it's not relevant to you, brilliant. Don't pay attention to it.
It is relevant to me, because I don't have any other way to decide who I
should trust with my information security. A company losing hundreds of credit
cards a day to hundreds of different hacks is much less secure in my mind than
a company that loses 70M names and addresses (as far as I know, the Chase hack
did not expose credit cards; mine was not replaced). The former goes
unreported; the latter gets splashed all over the news.

------
Gilly_LDN
" The number of households affected by the attack on JPMorgan [76 million
households and 7 million small businesses] compares with the 145 million
personal records taken earlier this year in a breach of EBay Inc. and last
year’s attack on retailer Target Corp., which affected 110 million. "

Do 'responsive firewalls' exist, that would close a hacked connection just
because of the size of the data that is flowing out?

[I have often thought a firewall would be a good golang project]

~~~
jzila
Typically the perpetrators in these cases will trickle the data out over a
very long period of time, thus evading many alarm triggers.

~~~
Gilly_LDN
What patterns would show up?

------
j79
As a Chase customer (checking/auto) who happens to be an eBay user that
shopped at Target during the data breach, this is getting really old. I wonder
at what point do companies start requesting we change our account numbers
(similar to passwords)?

~~~
SEJeff
This will simply force the US towards more European style chip & pin style
cards. But it will also massively accelerate the adoption of things like Apple
Pay where the vendors never get access to your credit information or personal
information at all.

Not that it helps a bit if they are hacking banks however.

~~~
wglb
Chip and Pin would have prevented zero of the accounts escaping Target.

There was a complete lack of encryption at key points.

~~~
shortstuffsushi
Chip and Pin would prevent _none_ of the leaks, it would prevent the usage of
the stolen card numbers after the fact.

~~~
wglb
Ok, let's think this through. The chip is embedded in the card, and works if
you bring the card physically to the POS terminal.

The chip is _not_ part of the equation for online transactions. So if
everything but the chip is stolen, the bad guys are going to use the card
online.

Check out [http://krebsonsecurity.com/2014/05/the-target-breach-by-
the-...](http://krebsonsecurity.com/2014/05/the-target-breach-by-the-
numbers/), particularly his "by the numbers" section:

 _0 – The number of customer cards that Chip-and-PIN-enabled terminals would
have been able to stop the bad guys from stealing had Target put the
technology in place prior to the breach (without end-to-end encryption of card
data, the card numbers and expiration dates can still be stolen and used in
online transactions)._

~~~
tarpherder
The PIN system as used in Europe (or at least where I live) always requires
you to physically enter your PIN-Number with any purchase, even online. The
card alone is useless as you MUST enter the PIN-Number, and 3 wrong tries
blocks the card permanently. To make purchases online your bank would send you
a small device which takes: a number supplied by the online website indicating
your purchase, your card and then asks you for a PIN-Number. It then does some
magic and outputs a number that you would need to verify the purchase.

It seems that this is not that same type of system or am I mistaken in some
way? Seems to me that it would have helped; my account number/card number/exp.
date are useless on their own.

------
msabalau
If someone is looking for an impossible problem to solve and be paid well: JP
Morgan is spending a quarter of a billion dollars this year to achieve list
level of security.

------
lifeisstillgood
Is there a breach notification list (somewhat similar to A CVE list) where
companies can (anonymously at first) notify the world early and then publish
technical post mortems.

Saying "76m records lost" is ok for headlines but like air traffic
investigation we want to improve the whole system.

~~~
vscarpenter
Yes - check out [https://www.fsisac.com/](https://www.fsisac.com/)

------
boulos
I haven't seen this mentioned anywhere, but Chase isn't sending email about
this to their customers. If you login there's a notice, and certainly many
people get updates via the news, but the lack of direct-to-customer
communication is disappointing.

------
ary
The silver lining here is that as these breaches become more and more common
businesses and financial institutions will be forced to get more serious about
security. Chip and pin can't come to the U.S. fast enough.

~~~
ryandrake
Nah, they'll just go about their business after offering everyone a year of
free credit monitoring, and wait for the next security breach. Nobody from
these negligent companies are going to jail, so none of them are going to
change the way they handle security.

~~~
sswaner
You obviously do not work for a company like JP. Fear of jail is not the only
motivator to address the gaps that led to this breach. There are likely
hundreds of people there who are intensely motivated and now assigned to
address this, driven by professionalism to work as quickly as possible.

------
iaw
Will we ever reach a point where large scale security breaches are a rarity
rather than the norm. I feel like some of these recent issues should have been
preventable.

~~~
zenogais
Probably not. The space of potential security holes is very large. A would-be
attacker only has to find one viable one, while the people defending against
those would have to find them all. There are lots of tools to stop people from
opening up well-known holes, but most issues are only "obvious" or
"preventable" in hindsight.

------
bkmartin
How soon until ALL database fields that contain personal information are
encrypted so that if a hacker gains access to the data it is useless without
the programs to actually access it? Why aren't we encrypting addresses, and
SSN, and email, and phone number? Is this information not as important as a CC
number? I think that we are starting to see that this might be almost as
important if not on equal footing as our CC numbers.

~~~
wmeredith
Encryption comes with overhead of some sort, this far, it's not worth it.
(Apparently)

~~~
bkmartin
I find it hard to believe that a company line JP Morgan, the largest bank in
the US can't afford to put enough computing power to reduce this overhead.....
at $6 billion in profit in just the 2nd quarter alone I think they could
afford to invest a couple of million dollars to make sure their customers'
data is better secured.

~~~
wmeredith
I didn't say they couldn't afford it. I said it worth it (i.e. it's not
profitable).

~~~
bkmartin
Lets think about this.... if they can spend maybe $10 million to be able to
say to their customers... "We had a breach but your personal data was
encrypted with the latest technology and is safe" vs "We had a data breach and
76 million house holds now have personally identifiable information up for
sale across the black market."

Do you think that the goodwill from the first statement would save them $10
million? My bet is that a bank actually being able to say that a breach was a
non issue because they had actually taken all possible measures to protect
your data with them because they actually might care about their customers
just a tiny bit would easily drive them in a positive direction both in the
short term and the long term.

------
rbanffy
Do we have details on the methods used in the breach? Was it via a Trojan in
an email or direct attack on vulnerable front end server?

------
latchkey
My wife just had her credit card hacked probably as a result of this (we are
both with Chase). What a pain to have to deal with getting a new card and
updating all the auto-pay stuff. Plus, this is probably the third or fourth
time this has happened to her. They said they arrested the person, who had
bought a burrito in San Diego.

~~~
berberous
From what I've read, there is no evidence of the hackers doing anything with
the data they found yet. So your wife was probably the victim of some other
hack (Home Depot?) or method (atm skimmer, etc.).

------
xj9
Woah! I'm glad I closed my accounts with Chase this weekend. I can't say that
they have better security, but IAFCU[1] is a much smaller target.

[1]: [https://iafcu.org](https://iafcu.org)

~~~
sswaner
And has a much smaller information security budget, but many of the same
vulnerabilities as Chase....

------
zyxley
This in the latest of a long string of security breaches makes me very happy
that Apple is moving forward on tokenized payment systems and hopefully
dragging many other companies along with it.

------
cwiz
In 20+ years with advent of decentralised banking (btc, etc) such stories will
be impossible. Decentralised banking will not only affect security but overall
money distribution in the world.

------
pnathan
Dumb question: is there an insurance service to ensure a company against
errors made by their _own_ software developers?

~~~
objclxt
In a roundabout way: you can insure against data breaches and costs associated
with it, etc.

And if you're contracting you'd better make sure you have indemnity insurance
yourself: it's something software engineers who start freelancing often
(always?) overlook. But you can bet that if - for example - some security
breach was pinpointed to code that you had written as a freelancer that your
client will come after you.

------
xedarius
Have any details come to light on how exactly the hack was achieved?

------
tootie
Does anyone here know anything about the nature of the attack?

