Chase Breach Investigation: Any Answers?Even an Unconfirmed Incident Can Hurt Bank's Brand
A week after news reports first surfaced about a suspected cyber-attack against U.S. banking giant JPMorgan Chase & Co., the bank has yet to confirm whether hackers did, indeed, breach its network (see FBI Probes JPMorgan, Other Bank Attacks).
See Also: DevOps - Security's Big Opportunity
So far, Chase has only said that it's investigating the possibility of an attack, and that it has multiple layers of defenses in place to monitor for fraudulent activity that would indicate a breach.
But Al Pascual, director of fraud and security for consultancy Javelin Strategy & Research, says continued speculation about the yet-to-be-confirmed breach could hurt the bank's reputation.
"My concern here is that even alluding to the idea [of an attack or breach] could have a serious effect on the confidence that consumers and businesses have in some of our largest institutions," he says. "This is as much an attack on the integrity of our institutions as it is on the public's trust in them."
Pascual likens the allegations about a cyber-attack against Chase to the distributed-denial-of-service attacks that targeted leading U.S. banks in 2012 and 2013. Those attacks were waged to breed fear, not perpetrate fraud, he says.
Making allegations about an attack against the biggest U.S. bank can "create an environment of fear around one of the cornerstones of our national strength," Pascual says.
What's Been Reported
The Financial Services Information Sharing and Analysis Center on Aug. 28 responded, saying it had seen no evidence to suggest a "significant" cyber-attack had been waged against Chase or any other U.S. bank.
Also on Aug. 28, leading banks, including Bank of America, Bank of New York Mellon, PNC Financial Services Group, State Street, SunTrust Banks, U.S. Bancorp and Wells Fargo, told The Wall Street Journal they had seen no indications that their networks had been intruded.
Then, on Sept. 4, Bloomberg reported that unnamed sources close to the investigation claimed cybercriminals had turned compromised computers from throughout the world into command-and-control centers that were used to attack Chase's network. And on Sept. 5, Bloomberg posted a follow-up story, noting that Chase may have been more susceptible to an attack because of recent shifts in leadership among its IT and security leadership.
"The FS-ISAC will not speculate on media reporting alleged compromises of institutions within the member community," FS-ISAC president and CEO Bill Nelson says in a statement provided to Information Security Media Group. "The media has so far not presented any concrete evidence of any significant cyber-activity impacting the sector, and therefore any attribution is speculative with no supporting foundation that has been presented for review. The global FSISAC membership sees continuous cyberthreat activity from a wide variety of adversaries. So, the claims of some security vendors and consultants drawing allusions to specific geopolitical events would seem, at the least, self-serving, from a business perspective, when they are attempting to sell their products and services to these same firms."
Silence Raises Questions
The fact that Chase has not come out to definitively say that it has not been attacked does raise questions, says financial fraud expert Shirley Inscoe, an analyst at the consultancy Aite.
"I find it very odd that Chase has not come out and stated that these reports are in error if, in fact, the reported cyber-attack did not occur," Inscoe says. "News reports that the bank was hacked can be very damaging to Chase's reputation. ... The omission of a denial may infer that the attack did occur and was successful to some extent."
A cyber-intelligence researcher, who asked not to be named, tells ISMG the suspected attack against Chase could be linked to the July attack on the European Central Bank, which resulted in the breach of e-mail addresses and other contact details, presumably of customers (see European Central Bank Breached).
While Aite's Inscoe has seen no information to suggest a link between the alleged Chase and ECB attacks, she says if e-mail addresses and other contact details about consumers were breached, it would be wise to forewarn compromised customers now.
"I think ECB should be anticipating a gigantic phishing attack against all those customers whose e-mail addresses and cell phone numbers were compromised, so I hope they are contacting and educating their clients now," she says. "If the Chase attack was similar, hopefully, they will do the same."
Jumping to Conclusions?
But without confirmation of a breach at Chase, it's dangerous to speculate about what systems may have been impacted and by whom, security experts say. In fact, many sources have been reluctant to speculate on the record about what may have happened at the nation's largest banking institution.
Meanwhile, the FS-ISAC is recommending that all of its member institutions continue to share information about cyber-attacks.
"The FS-ISAC will continue to work with members and seek to obtain clarification from all available sources and will share appropriate threat indicators and context when it becomes available," Nelson says.
"It is not the FS-ISAC's role to share information on the impact of any cyber-attacks impacting the sector or any member institution, but, rather, to ensure available threat information is shared to protect the membership," he adds. "Any disclosure around an attack and impact will always be the responsibility of the affected institution."
Even smaller institutions that may not be part of the FS-ISAC should ensure they are communicating regularly with their service providers to stay abreast of emerging attack patterns and activity, Nelson says.
Most community banks and credit unions outsource their IT operations and application systems to third-party service providers, or TSPs. The major TSPs are members of the FS-ISAC and have access to shared threat and vulnerability information, Nelson says.
Nelson also points out that cyber-investigations take time, and it could be a while before all of the details regarding an alleged attack on Chase are sorted out and revealed.
"When a typical attack occurs, law enforcement and forensic investigators launch an investigation," he says. "It can take days and even weeks for law enforcement to identify all of the tactics, techniques, procedures and threat indicators used in a particular attack. Identifying the threat actor and campaign objective is also part of that investigation, and that process can take time, too."