The JPMorgan Chase cyberattack affected more than 83 million households and businesses, but the scope of the problem could have been much worse, according to experts.
The F.B.I. searched other financial institutions’ systems for the I.P. addresses that the hackers were believed to have used in the JPMorgan breach. Evidence suggested that similar attacks were attempted at other major firms, including Fidelity Investments and E*Trade. In fact, an individual briefed on the matter estimated that about a dozen other financial institutions were also infiltrated by the same group of overseas hackers, reported the New York Times.
At least five other banks also found that one of the same web addresses used in the JPMorgan breach attempted to get into their systems. These banks include ADP, Bank of the West, Citigroup, HSBC and Regions Financial.
While there was no evidence that any money was taken or personal information compromised from JPMorgan Chase or any of the other institutions, the breach was particularly troubling because the source and the motive still remains unclear.
Since the hackers allegedly hacked into multiple JPMorgan servers over a period of two months, there is some concern that these individuals gained a deep understanding of how the bank’s computers and systems operate.
The hackers confiscated a file that contained a list of every application and program deployed on standard JPMorgan computers that hackers can crosscheck for vulnerabilities, reported the New York Times.
Another New York Times article explains: “Some American officials speculate that the breach was intended to send a message to Wall Street and the United States about the vulnerability of the digital network of one of the world’s most important banking institutions.”
The issue deepens in severity when considering that a major attack on the banking system could set off another financial crisis.
Last but certainly not least, the case also calls attention to the current flaws in U.S. regulations. For starters, banks are not required to report data breaches and online intrusions unless the incident causes financial loss to customers. While breach notification laws differ by state, most laws say that customer names along with other personal information like a credit card number or Social Security number needs to be stolen before an attack must be shared with the public.
Some states also allow companies to wait up to a month before informing customers, which allows a window for thieves to use this personal information while consumers remain unaware and vulnerable.
There have been several attempts in Congress in recent years to require companies to inform customers of a possible breach in a more timely manner, but these bills have failed to see the light of day.