What Happened in the JP Morgan Chase Breach?

According to news released last Thursday, 76 million household accounts and 7 million small businesses were affected by a breach that occurred earlier this year. JP Morgan Chase is one of the oldest, best-known and largest financial institutions in the world. The cyber attack leaked names, addresses, phone numbers and email addresses. There is no evidence yet of passwords, sensitive personal information, or account information being stolen.

The bank discovered the intrusion on its servers in mid-August and believes the breach may have begun as early as June, a spokesperson for the bank has said. They have “identified and closed all known access paths.” It is possible the original access point came by getting a password from an employee.

In a post on their website, they told customers there’s no need to change their password or account information. No cards will be reissued.

Because email addresses were accessed by the hackers, beware of any phishing emails; don’t click on links from email addresses you don’t know or links inside messages that look like they might come from Chase or another trusted source, and were received unexpectedly.

Read the full story in the news.

Home Depot Hit By Malware Similar to Target Breach

Security researcher, Brian Krebs, published information on his security blog yesterday about the cyber attack on Home Depot. Reportedly, the compromised credit cards were exposed through the same malware that exposed 40 million accounts of Target customers in December 2013. He points to a new variant of the malware strain “BlackPOS,” aimed at retail accounts, which has the ability to steal credit and debit card information from the physical memory of point-of-sale devices.

If this information is true, then it could mean the same people were responsible in both breaches. Credit card numbers allegedly stolen from Home Depot have appeared on an underground cybercrime shop known as Rescator, which has also been seen selling cards stolen in the Target breach. According to Krebs, the people involved harbor anti-American sentiments.

Read the story in the news.

Over a Billion Stolen Credentials Amassed

Earlier this month, the NY Times reported that a Russian crime ring has amassed 1.2 billion user name and password combinations and more than 500 million email addresses from the Internet. According to security firm Hold Security, many of the sites from which the credentials were stolen are still vulnerable.

There is a concern among the security community that keeping personal information out of the hands of thieves is increasingly a losing battle. Last December, 40 million credit card numbers and 70 million addresses, phone numbers and additional pieces of personal information were stolen from Target by Eastern European hackers. This latest discovery, however, prompts security experts to call for improved identity protection on the web.

Read the full story online.

As a result of the large amount of usernames and passwords that have fallen into the hands of criminals, one NY Times reporter came up with a two-step plan to prevent hackers from getting into his online accounts. He contacted all of the companies with which he does online financial transactions to find out if they support multi-factor authentication. He writes about his experience here.

If you are concerned about your online accounts and whether they are secure enough, you may want to take some similar steps or be proactive in other ways. One suggestion I would make — until all companies offer multi-factor authentication — is to update your passwords on a regular basis and manage them using a password storage manager, either LastPass, 1Password or KeePass.

The eBay Data Breach

On May 21 eBay announced that it suffered a major data breach, exposing personal data of up to 233 million registered users. The company is now being investigated by three states with a joint probe into its security practices.

eBay has been criticized for taking three months to notice the breach and then a few more weeks before making an announcement. No mass email was sent, but they did post a warning to their website, originally with a “learn more” link that lead to a blank page (now fixed).

eBay is telling all customers to reset their password. If members used their password at other sites, they should change their passwords for those sites as well.

The data was stolen via a number of compromised employee credentials, according to eBay. The thieves were then able to access the company’s corporate network.

What did the thieves get? There was no financial or other confidential personal information in the compromised database. But the thieves did get hold of real names, email addresses, phone numbers and home addresses of customers in addition to their passwords, which were encrypted.

Read the story in the news here and here.

The Story Behind the Breach at Neiman Marcus Group

Last week I shared the Business Week article that explains how Target stores were breached and credit and debit card information was stolen. This week I found a similar article on the breach at Neiman Marcus stores.

It is almost certain that the Neiman Marcus breach was made by a different group of hackers than those who made the Target breach because of the different method and code style used. According to the investigation, card data was stolen from July through October, 2013. The number of cards exposed is less than 350,000, a much smaller number than first estimated.

Similar to the Target attack, the hackers moved unnoticed in the company’s computers for several months, sometimes tripping hundreds of alerts daily. While the anomalous behavior was logged on the company’s centralized security system, it did not recognize the code as malicious, or expunge it. It is unclear why the alerts weren’t investigated at the time.

According to the investigative report, Neiman Marcus was in compliance with standards meant to protect transaction data when the attack occurred. Data-security requirements were tightened again this year after a rash of thefts that also included Target and Michaels Stores.

Read the full story at businessweek.com.

FTC May Charge Target for Failure to Protect

Following up with the Target Inc breach, the FTC has been in contact with the corporation, but has failed to comment on whether it has launched a formal investigation. But former commission officials say the agency is taking a hard look at the incident, which resulted in 40 million credit card numbers falling into the hands of cyber criminals.

The FTC polices data security under its legal authority over “unfair” business practices. Companies have a responsibility to take “reasonable and appropriate” steps to protect the data they collect from consumers, according to FTC lawyers.

Congress is considering legislation that would expand the FTC’s authority to allow it to fine companies for inadequate data security. Currently the agency can force a company to change its practices, but it cannot punish companies.

Read the full story in the news.

The Story Behind the Breach at Target, Inc.

Businessweek.com has written an in-depth article and posted a video explaining how Target Stores were breached and their systems infected with malware, leading to one of the biggest data thefts in retail history. According to the investigation conducted after the discovery of the theft, Target employees failed to respond to several alerts made by their security system, provided by FireEye. Had Target security staff responded appropriately to the alarms, they could have prevented the transmission of the stolen credit card data.

Even without human intervention, the breach could’ve been stopped, according to the article. “The system has an option to automatically delete malware as it’s detected. But according to two people who audited FireEye’s performance after the breach, Target’s security team turned that function off.” While not unusual, it puts pressure on a team to quickly find and neutralize the infected computers.

It was clear, according to the article, that Target was getting warnings of a serious compromise; even the company’s antivirus system by Symantec, identified suspicious behavior over several days around Thanksgiving – pointing to the same server identified by FireEye.

Read the full story on Businessweek.com


Get every new post delivered to your Inbox.

Join 72 other followers