What the JPMorgan Hack Says about the State of Cybersecurity
The lobby of JPMorgan Chase headquarters in New York. Mark Lennihan/AP File Photo
Banks are supposed to have some of the most advanced security systems in the world. JP Morgan still got hacked.
Another month, another report of a large corporation failing to keep customer information secure. This time, it's JP Morgan reporting that 76 million households and 8 million small business were exposed in a data breach. At this point, it's understandable if the news doesn't cause much alarm.
To get psychological about it, it's a classic case of habituation: The first time we experience something we pay close attention, but as it happens again and again, we simply stop noticing. The first time your bank calls you and tells you to replace your credit card, it's worrying. The fifth or sixth time, it's annoying.
But hear us out: This JP Morgan Chase breach should freak you out, even if you don't bank with them. Previous data breaches have largely been confined to retail companies (Target, Home Depot etc.), where brands are required to meet basic security protocols and not much else. "Retailers are known to be cheap," Paula Rosenblum, managing partner at Retail Systems Research, said. "But it gives me much more pause when it happens to a bank.”
Banks have much more sensitive information about their customers than any retail operation, everything from social security numbers to detailed records of past spending. So far, JP Morgan reports that only limited personal information, such as names, phone numbers, and addresses, were stolen, insisting that social security numbers, banking information, and other data remain safe. "I’m assuming that [information] is encrypted," said Rosenblum. "If not, then Katy bar the door.”
Then there's the sheer scale of the breach. Let's repeat: Seventy-six million households and 8 million small business were exposed. According to The New York Times, JP Morgan believed only one million accounts were affected a few weeks ago. So there's the possibility that the number may rise even further.
But for those exposed by JP Morgan's data breach, personal information leaks mean months of guarding against identity theft. "There's now a potential array of fraudulent activity possible without the consumer even knowing," Jeremy Edwards, lead analyst at IBISWorld, said. "If you get a phone call that seems like it's coming from a financial institution with your information, you're more likely to believe the scammer.”
In addition, for the past two decades consumers have flocked towards one-stop-shop megabanks and away from smaller regional chains, meaning that there are few options for those seeking a more secure bank. "There’s no real reason to think that Bank of America will have better systems than JP Morgan," said Edwards. JP Morgan, according to Edwards, was seen as being one of the best at security. If they can get hacked, so can just about anyone.
In the near-term, the JP Morgan breach will be an ongoing headache for the bank and its customers. The bank, which reports that hackers gained access to root access to many of its servers, will have to essentially strip out and replace much of its internal IT infrastructure, a process that Edwards estimates could take "months at the least." During that time, JP Morgan customers will have to monitor their own finances more closely than they would have in the past.
But according to Georgetown professor of law Adam Levitin, there's really no way of preventing this type of attack from happening again. "JP Morgan spends crazy amounts of money on IT security and yet they can still be hacked," he said. "There’s really no way you can be connected to the Internet and keep things safe."