Back in August 2014, hackers attacked JPMorgan, putting thousands of people at a security risk, and now it’s been revealed that it could have easily been prevented. The issue? A security update was missed, which is a common issue in many hacks around the world. When two-factor authentication was recommended for one of the financial giant’s servers, the layer wasn’t added according to the New York Times. “The oversight is now the focus of an internal review at JPMorgan that seeks to identify whether there are any other unguarded holes in the bank’s vast network…the relatively simple nature of the attack (some details of which have not been previously reported) puts the breach in a new light.” When it comes to hacks, many of them are easily preventable, and 2014 was the year of security breaches according to many experts.
When it comes down to it, it was JPMorgan’s web host who dropped the ball. However, that doesn’t matter to the bank’s customers. It was originally estimated that around 76 million people, including small business clients, were impacted by the breach. However, with the latest Times report that number has crawled up to 83 million. The hackers got get into sensitive data, although it’s been months and it seems they won’t be using that access.
A Warning to Others
Hackers generally get into systems for one of three reasons: To make a profit, to cause mayhem, or to prove a point. The JPMorgan hackers (luckily) seem to be after the last two reasons. The Times reports, “The bank maintains that the damage to customers was limited to the theft of email passwords, home addresses and phone numbers.” Two-factor authentication has many benefits according to Life Hacker and other media outlets, and one of them is preventing this kind of breach.
In fact, it’s one of the simplest and most relevant security measures available. Getting one password can be (relatively) easy, but needing a second, one time only password to get in can thwart attacks. In this case, the hackers snatched an employee’s password, which gave them instant access. The failure of two-factor authentication is the only thing that allowed for the faux pas.
In October, WHIR connected with an expert at Acevto Consultancy & Technology Services, Andrew Avanessian, for more insight. Even then, Avanessian guessed that a few simple security measures could have stopped the JPMorgan breach. Similar steps could have also prevented the biggest hacks of 2014 like Home Depot’s, too. For the most part, it’s basic stuff like blocking non-whitelisted programs that can keep companies safe.
Customer data is trusted to these companies, but for the most part businesses rely on managed shared or dedicated servers. These servers, tucked away in data centers the companies like JPMorgan never see, can be the golden ticket for hackers to get inside. Plus, with Target getting sued for negligence, it’s created a precedent for service providers to better protect their customers. However, what about when it’s actually the web host to blame?
The good news is that breaches like this will bring to light exactly what web hosts do, the importance of server security, and why businesses need to pay better attention when choosing hosting companies. Unless you’ve bought and are managing a server yourself, there’s not much you can do when a hacker’s interest gets piqued. As for JPMorgan, they’ve learned their lesson but are still reeling from the jab.