The computer breach at JPMorgan Chase this summer – the largest intrusion of a U.S. bank to date – might have been thwarted if the bank had installed a simple security fix to an overlooked server in its vast network, said people who have been briefed on internal and outside investigations into the attack.
Big corporations like JPMorgan spend millions – $250 million in the bank’s case – on computer security every year to guard against increasingly sophisticated attacks like the one on Sony Pictures. But the weak spot at JPMorgan appears to have been a very basic one, the people said. They did not want to be identified publicly because the investigation into the attack is incomplete.
The attack against the bank began last spring, after hackers stole the login credentials for a JPMorgan employee, these people said. Still, the attack could have been stopped there.
Most big banks use a double authentication scheme, known as two-factor authentication, which requires a second one-time password to gain access to a protected system. But JPMorgan’s security team had apparently neglected to upgrade one of its network servers with the dual password scheme, the people briefed on the matter said. That left the bank vulnerable to intrusion.
The oversight is now the focus of an internal review at JPMorgan that seeks to identify whether there are any other unguarded holes in the bank’s vast network, several of the people briefed on the matter said, adding that, internally, the episode is seen as an embarrassment.
The relatively simple nature of the attack – some details of which have not been previously reported – puts the breach in a new light. In August, when Bloomberg News first reported on the attack, which ultimately compromised some account information for 83 million households and small businesses, the bank’s security experts and the FBI feared a sophisticated adversary. Some suspected the attack, possibly with backing from Russia, was intended as retaliation against economic sanctions levied by the United States and its allies in response to Russia’s policies in Ukraine. By mid-October, however, that theory began to fray, and the FBI officially ruled out the Russian government as a culprit.
It is still not known where the attack originated.
The bank maintains that the damage to customers was limited to the theft of email passwords, home addresses and phone numbers.
JPMorgan discovered the hackers inside its systems in August, after first finding that the same group of hackers had breached a website for a charitable race that the bank sponsors.
The revelation that a simple flaw was at issue may help explain why several other financial institutions that were targets of the same hackers were not ultimately affected nearly as much as JPMorgan Chase was. To date, only two other institutions have suffered some kind of intrusion, but those breaches were said to be relatively minor by people briefed on the attacks.
What is clear is JPMorgan’s attack did not involve the use of a so-called zero day attack – the kind of sophisticated, novel software bug that can sell for a million dollars on the black market. Nor did hackers use the kind of destructive malware that government officials say hackers in North Korea used to sabotage data at Sony Pictures.
Nonetheless, once inside JPMorgan, hackers did manage to gain high-level access to more than 90 bank servers, but were caught before they could retrieve private customer financial information, the people briefed on the investigations said.
The breach, which the FBI and federal prosecutors in Manhattan are treating as a criminal investigation, was not stopped until the second week of August.