By Haddon Libby
Last week, JP Morgan aka Chase Bank disclosed that the August data breach of their computer systems by hackers affected more than the 1 million customer accounts previously announced. The actual number was 83 million – 76 million consumers and 7 million small businesses. An SEC filing by JP Morgan that disclosed this data breach mentions that “about nine” other financial institutions were breached by the same hackers. Other bank names were not given.
Beyond the magnitude of these ten data breaches, this round of hacking was of particular concern to the FBI and federal agencies as it is believed to have been done by “Putin sympathizers” in retaliation to sanctions imposed against Russia due to the conflict in the Ukraine.
The delay in the public learning of this breach is because JP Morgan believes that no account information was taken. JP Morgan states that hackers did get customer names, addresses, phone numbers and email addresses though – just not account numbers.
According to The New York Times, the most valuable thing that the hackers stole is a file that “contained a list of every application and program deployed on standard JP Morgan computers that hackers can crosscheck with known, or new, vulnerabilities in each system in a search for a backdoor entry.” A former JP Morgan employee said to The New York Times that the theft of this file is the equivalent to stealing “the schematics to the Capitol – (you) can’t just switch out every single door and window pane overnight.” This means that the hackers now know of multiple ways to potentially hack into JP Morgan computer systems as well as other banks and businesses that use similar apps and programs.
So what does this mean to you? Criminal groups know where you live, your phone number and email address. As it relates to your bank account, a consumer account is protected from fraud by federal laws that limit losses to no more than $50 most of the time.
Small business bank accounts do not have the same protections as consumers. As such, anyone with a business account needs to remain on high alert for fraud for the foreseeable future. This is because JP Morgan, or any bank for that matter, has no obligation to make a business account whole in the event of fraud.
Business accounts at banks are subject to the Uniform Commercial Code (UCC). UCCs are state laws that limit the liability on a bank as it relates to online services. While it would be a public relations nightmare to any bank if they did not make a client whole after a data breach, small business owners need to remain vigilant against potential fraud.
Cybercrime experts believe that this latest series of cyberattacks will lead to years of fraud. Criminals will use this information in conjunction with public information from sites like Facebook, LinkedIn, Twitter and Google to craft convincing scams meant to steal money or other passwords from potential victims.
To protect yourself from cybercrime, never give anyone your online user IDs or passwords, including representatives of the bank or business that you have the online account with. Use robust passwords on your accounts that include special characters. Get text or email alerts from your bank when certain transactions occur. Beyond virus protection software, buy fraud protection from a credit agency like Experian that will alert you of potential attempts at identity theft.
Never download free things like emoticons, files, videos or other programs onto your computer. When you download a game app, think twice about programs that want access to your contact lists or other sensitive information.
As criminal activity is sanctioned by some of America’s rivals and even the most sophisticated of companies like JP Morgan cannot prevent the data breaches, you need to be more careful than ever when going online.