JP Morgan and the boring cyber crooks
Last summer JP Morgan Chase ‘fessed up to an enormous breach that impacted some 80 million customers. Headlines at the time were alarming, with speculation even amongst security professionals and seniors in government that this must be the work of a state sponsored group. Who else could possibly achieve such a thing? Given relations between US and Russia at the time were poor, speculation was rife that this was Putins response to recently imposed sanctions.
The reality, it turns out, is much more mundane. This is an excellent article which covers it rather well. This wasn’t some enormous state backed effort – it was a small group of people running a ‘pump and dump’ scam. The same thing that made the Wolf of Wall Street so much money, just tweaked for the internet age. The criminals master plan was to use to the stolen information as a contact list, and try and sell worthless stock to their marks.
So what can we learn from this? Well, firstly that it’s possible for small groups of criminals and teenagers to successfully compromise large organisations that really should be doing better. These are not advanced groups with the funds of states behind them, but opportunists (sure, smart opportunists perhaps). They use exploit common vulnerabilities, and go undetected because of poor security monitoring. The second learning point is that it is possible for you, if you are in charge of a company, to do an awful lot better than this, and you don’t need the budget of a JP Morgan.
Finally as a consumer what can you do? It’s not your fault that your details are stolen from an organisation you have trusted. I think voting with wallets would help, and we should all take our custom away from those who clearly can’t safeguard our details. Otherwise put pressure on organisations like the ICO in the UK to come down harder on failing organisations.
Thanks for reading. Any questions, find us on twitter, or use the contact form. Also if you liked this post why not share it on Twitter or LinkedIn using the link at the top?
Rob