JPMorgan Chase & Co has revealed that the personal information of 83 million accounts were exposed when the company's computer systems were infiltrated this year, making the data breach one of the largest in history.
According to a SEC filing released Thursday, the names, addresses, phone numbers, email addresses and internal JPMorgan Chase information relating to users were compromised. In total, approximately 76 million households and 7 million small businesses were affected.
However, the financial institution says that there is no evidence that account numbers, passwords, user IDs, dates of birth or Social Security numbers were left vulnerable, and to date, JPMorgan has not seen any "unusual customer fraud related to this incident."
Customers are not liable for unauthorized transactions on their account that "they promptly alert the firm to," the bank said.
JPMorgan detected computer infiltration in August this year. The cyberattack is believed to have begun through a compromised employee computer, which became infected with malware that established a VPN tunnel into the bank's networks. The US Federal Bureau of Investigation (FBI) is currently working with JPMorgan to try and unmask the culprits.
Security experts have warned that the stolen information could be used for different kinds of fraud -- such as phishing and cold-calling. Chris Boyd, Malware Intelligence Analyst at Malwarebytes told ZDNet:
"The data taken is a spammer's goldmine and could be used over a long period of time to drip feed potential victims with phishing, cold calling or targeted malware attacks via email. If any of the 76 million affected have had other data leaked in the past, it would be easy for those behind this attack to build up a robust picture of their targets and throw a little social engineering into the mix, making the emails seem less random and the phone calls more persuasive.
Anybody affected should be particularly cautious of emails claiming to be from JP Morgan over the coming months, and if in doubt should contact the sender directly to verify. That same caution would also apply to cold calling, letters and emails."
Despite this possibility, JPMorgan says on its website that customers do not need to change their passwords or account data. In addition, company spokeswoman Patricia Wexler told Reuters that the bank is not offering free credit monitoring -- which is often part-and-parcel when customers are affected by security issues -- as " no financial information, account data or personally identifiable information was compromised."
Steve Hultquist, chief evangelist at RedSeal Networks noted:
“The fact that JPMorgan Chase could be breached should send a shiver of fear through every organization on the planet. They are well aware of both the defenses necessary and the importance of protecting against concerted, automated attacks. However, this breach demonstrates that even the best reactive technology and processes aren"t enough.
Organizations need to deploy automated analysis of their entire end-to-end network access paths, using technology to find misconfigurations, unexpected consequences of configuration interactions, and other unanticipated results of the complexity of modern networked infrastructures. Using proactive cyberattack prevention, organizations can be sure that their monitoring and reactive technologies are properly placed, that their network zones are correctly implemented, and can more precisely understand the implications of their overall set of network configurations.”