JPMorgan Chase announced Thursday (Oct. 2) that its databreach attackers accessed information on 83 million accounts—about 76 million households and 7 million small businesses—is the largest known financial data attack.
The data grabbed appeared to be “user contact information—name, address, phone number and E-mail address—and internal JPMorgan Chase information relating to such users,” Chase said in an SEC 8-K filing. “However, there is no evidence that account information for such affected customers—account numbers, passwords, user IDs, dates of birth or Social Security numbers—was compromised during this attack” and, as of Thursday (Sept. 2), Chase “continues not to have seen any unusual customer fraud related to this incident.”
Even if this preliminary information proves to be true, the danger is far from over for the bank’s customers. First, the kind of marketing data accessed is ideal for launching phishing campaigns, where consumers are contacted and then tricked into revealing passwords or account numbers, which then allows for the actual theft of money.
Even worse, the attackers learned much about the internal IT structure of Chase, which could also fuel more damaging attackers in the near future.
The attackers “appeared to have obtained a list of the applications and programs that run on JPMorgan’s computers—a road map of sorts—which they could crosscheck with known vulnerabilities in each program and web application, in search of an entry point back into the bank’s systems,” the New York Times reported.
Speaking of the Times, it was behind some additional drama on this story on Thursday, when it reported that Chase had been victimized by a second databreach, reportedly with ties to Italy.
But shortly after Chase publicly issued an usually explicit denial—”The story is false. We are not aware of any new attack”—the Times backed down, removing the original information from its site.