JP Morgan Data Breach: What It Means for the 451,000 Victims (2024)

In a recent podcast interview with Cybercrime Magazine's Host, Heather Engel, Scott Schober, Cyber Expert, Author, and CEO of Berkeley Varitronics Systems, discusses the JP Morgan data breach, including what it means for the over 400,000 affected individuals and more. The podcast can be listened to in its entirety below.

Heather: Scott, welcome to the podcast!

Scott: Hey, great to be back with you, Heather.

Heather: Today, we're talking about a recent disclosure that was made by JP Morgan Chase regarding a significant data breach that affected over 451,000 retirement plan participants. The breach occurred due to a software flaw rather than a hack, but it exposed sensitive financial and personal data, including names, addresses, social security numbers and details related to payment and deductions.

Scott, can you tell us a little bit more about this story?

Scott: Yeah, absolutely. This one certainly kind of caught my eye, as I'm sure many others, just because JP Morgan is really, you know, one of the biggest, I think they're in the top 5 banks, the 5th largest somewhere in that top, 5th largest in the world, just based upon assets. I think it's just close to 4 trillion in total assets. So it really does catch a lot of people's attention. And I think the media initially reported on this and said it was a data breach. But in reality, it was really more of a software problem. And I guess that's what the fundamentally, as you dig in a little bit more, it was a software flaw, and it involved the unauthorized access by really 3 of the system users that were linked to JP Morgan customers or their agents. And the software, the issue overall, it allowed these users to have access to the planned participant data that they really weren't entitled to view. And that was part of the problem. And again, this was back some period of time. And now we're hearing again about it much later. But fortunately, JP Morgan did take fairly quick action and they basically updated the software to restrict unauthorized access. However, that being said, there was some things that were exposed. And I guess that's where the scary part always comes into play. How much and what could bad guys use if gets into the wrong hands? And that's what the scary thing is. It stands out to me.

Heather: So you mentioned, in this case, the data was accessed by system users and their agents, and it was included in reports run over a period of about 2 years. The filing with the State of Maine indicated inadvertent disclosure. So, do we treat this the same way that a hacked data breach would be? And in a situation like this, how likely is it that consumer data would be abused?

Scott: Well, I think it's a little bit less likely. It probably has to be treated similar because you really don't know the full extent of everything until an investigation is done. It's kinda dangerous to assume. Well, okay, we know where it was compartmentalized to only these individuals, and this much data was exposed potentially, we're okay. But they're taking precaution because they patch the software. They're reaching out to all of these individuals, these 451,000 individuals that potentially were affected here, or will be affected potentially. I think that that's smart to do, and they're offering the usual free credit monitoring and some stuff with Experian, really in hopes to monitor their identity. I think the number one thing is probably any type of identity theft because what was disclosed, they mentioned, was the Social Security Number, bank account, and then the routing number, I believe, and of course, address and some other things as well. But anytime those type of things are out there, right away, somebody's gonna perform identity theft, a bad guy, if it gets in their hand. But there could also be bank fraud or the usual phishing scams and account takeovers. Lots of other things that potentially could happen if this information moves on to the next set of hands or is sold on the dark web, or something like that. So I think they need to proceed very cautiously and understand the full scope and potentially what could have happened.

We'll be right back after a quick word from our sponsor.

Cimcor develops innovative next-generation file integrity monitoring software. The CimTrak Integrity Suite monitors and protects a wide range of physical, network, cloud, and virtual IT assets in real-time while providing detailed forensic information about all changes. Securing your infrastructure with CimTrak helps you get compliant and stay that way. You can find out more about Cimcor and CimTrak on the web at cimcor.com/cimtrak.

And now, back to the podcast.

Heather: You mentioned that affected customers are being provided with identity theft protection and I'd like to talk a little more about that. How valuable is that really? When most consumers have been a victim of multiple hacks in the last few years. I know I personally have had 2 or 3 offers of free credit monitoring from various breaches just in the last 6 months. Do you think that companies should be doing more, or should they be required to do more? And how valuable is that really?

Scott: Great question. It's not that valuable because, in my opinion, oftentimes, the damage is done. So, in other words, they've compromised information. It's kind of you're waiting for the shoe to drop and say, Oh, no! Somebody's trying to do this or trying to do that. Somebody's a lot better off in taking proactive steps themselves before your information is compromised. In other words, freeze your credit, for example. Put a passcode on your bank account. I, myself, had my identity compromised not too long ago. Someone was pretending to be me, went to the bank, "Hey, I'm the president of this company, and I wanna check the balances," and so on and so forth. And fortunately, I have a note in the computer at the bank to call me if anybody does this or that, and I have a passcode set up. So if any type of suspicious activity, someone's trying to inquire about a balance, doesn't matter who it is, even if it's me, I have to provide the code. If somebody's trying to do a wire transfer, I have it so it can't be done online. It has to be done in person with my signature. So you can actually talk to your bank and figure those things out to have layers of protection in there, because once they perform identity theft, and I've talked to a lot of people that have had their identity compromised, it is a nightmare. So, just because people are monitoring and offering things, it's not that valuable. Do some things ahead of time, like freezing your credit, like adding a passcode to your banking account, and being proactive to minimize or prevent your identity from being compromised in the 1st place.

Heather: Yeah, I know I had my credit frozen, and one of the things that I counsel clients and friends and family members on is identify the accounts that are the most critical right, your banking, your retirement, even your personal email account, because that kind ofunlocks everything else, and that's where you really want to manage your risk. But yeah, credit freeze for me is what has seemed to work pretty well. So, I'd like to shift now and ask you to talk about software vulnerabilities.

This hack, as we said, occurred due to a software flaw rather than, you know, an actual hacker attacking the system. Secure software development is something that's very difficult to do. What are some steps developers can take to avoid these situations where we have a software vulnerability both when they're developing the application and once it's been released?

Scott: Securing software is really important and that's a good point you make. And I think, really, at the early stages of development, it's important for coders to really map this out. And that way, they can also test at different stages, and then, of course, after the software is complete, it's very important to have a 3rd party. When I mean a 3rd party, not the team that originally codes everything that's on the network. You really want somebody independent and often say, do a vulnerability assessment, do some penetration testing where you're actually trying to get it to fail, find the weak spots, find the vulnerabilities, expose those, so you can sure that up. And that's a really fundamental part, especially when you have things that are customer-facing, and you have customer data that's gonna be inputted and used, in this case in the world of banking and retirement, that data is really important to protect. So, they have to exhaustively test the software that's coded. Several iterations to get all those vulnerabilities out before it gets released to the public. And there's an ongoing process also from time to time, as there's security patches and updates. You gotta go back and retest it to make sure you didn't introduce a backdoor or another means for somebody to hack in and cause a problem.

Heather: Scott, thanks for your insights on this article today. Anything else you'd like to add?

Scott: No, I think other than just realized that if you had to look at any of the banks out there, JP Morgan Chase is probably spending more than any of the other banks. They're spending, on average, about 15 billion a year just towards cyber security, and they've got 62,000 people, plus that are constantly fighting daily all of these attacks. And I think that overall, they're doing a really good job at it. But again, all it takes is just one time one vulnerability that could be exploited. Be it from the inside or from the outside, and the important is that they're not giving up. Just like all banks, they need to constantly do this day in, day out, check for the vulnerabilities, try to strengthen their cybersecurity posture, and that's the only way that any of us as consumers can have a level of confidence in the banking in this digital world that we live in today.

Heather: Scott, thanks so much for being on the podcast today.

Scott: Hey, thanks for having me.