In the latest round of confirmed data breaches, banking giant JPMorgan Chase—arguably the largest US bank—has announced that hackers may have accessed the secure information of approximately 83 million of its accounts, comprised of 76 million individual consumer accounts as well as around 7 million small business accounts.
In a filing made with the Securities and Exchange Commission yesterday, the company confirmed a breach that seems to have given criminals access to personal contact info on its account holders. This information is believed to be limited to basic data, such as individuals’ names, addresses, emails, and phone numbers, but has so far is not thought to include any account numbers, passwords, Social Security numbers, or more valuable personally identifiable information. As the consumers’ financial information seems not to have been stolen, the bank will not be providing credit monitoring services or compensation to its customers at this time.
The interesting thing for consumers to understand about this breach is that it is not the stuff of movies. In the cyberthrillers of pop culture, thieves hack into the computers and electronically deplete the accounts of their money, but that’s far from what transpired in this situation. Instead, the hackers went after personal data, which some experts say is far more valuable than the contents of your checking account. With the right information, thieves can wreak havoc with your identity or even sell your information on black market websites that deal in stolen data. It would seem nearly impossible to cover their tracks should they actually steal the money, but stealing personal data gives them a high rate of potential financial gain and a lengthy time period with which to use it before the breach is discovered and they’re shut down.
So if the hackers didn’t take consumers’ money, what are they doing with the information? Some experts have already said that the thieves in this case may use the data they garnered to launch spam and phishing attacks, presumably through email but possibly also through text message and phone calls. By selling the information to companies that send out mass-mailings on behalf of cheap advertisers, they stand to gain financially, and by using the information for phishing, they can attempt to trick consumers into falling for even bigger scams.
At this time, the investigations into the causes and the reach of this event are still underway. But the first thing that should come from this is the understanding that there’s no such thing as “too big to fail.” At the risk of oversimplifying an understandably complex issue, if JPMorgan can be breached, other companies need to take a serious look at the security protocols and the amount and type of data they gather.
Consumers, even those who do not bank with JPMorgan and whose data was therefore not accessed, should make sure that they are educated about their personal security and their online behaviors so they don’t fall for a scam or fraud attempt. Even being connected through email to someone who does business with JPMorgan could mean that your email address can receive these expected phishing emails, so make sure you know the difference between content that is safe to open and click, and what is fraudulent. The ITRC maintains a list of the top scams and phishing attempts on its website for reference.
If you found this information helpful, you may want to consider taking part in the Identity Theft Resource Center’s Anyone3 fundraising campaign. For more information or to donate please visit http://www.idtheftcenter.org/anyone-3.