This morning, the Wall Street Journal reported on the front page that J.P. Morgan was hacked and suffered a cyberheist called "a significant breach of corporate computer security".
Bloomberg reported that the FBI, the US Secret Service, and even the NSA are investigating an incident that seems to have occurred in mid-August.
According Bloomberg, Russian hackers breached the bank's defenses and compromised gigabytes of data, but exact nature of that data remains unknown. However, they said that the attackers "grabbed sensitive data from the files of bank employees, including executives."
There is such a thing as "the fog of war" and the same thing happens in cyberwar. There are conflicting reports as to how the hackers got in. One report states a zero-day vulnerability on one of the applications on J.P. Morgan's website.
However, other people familiar with the probe said the evidence at this moment points to malware that infected an employee's personal computer and from there the hackers were able to move further into the bank's network. "They then plowed through layers of elaborate security to steal the data, a feat security experts said appeared far beyond the capability of ordinary criminal hackers," one source said.
The news of this data breach came just days after J.P. Morgan customers were targeted by a large wave of phishing emails trying to get their banking username and password. Proofpoint researchers, who discovered the campaign, said that victims were lead to a fake login portal, which delivered banking malware made to look like a Java update after their username and password are entered into the form.
The J.P. Morgan employee's PC that was infected used VPN software to work remotely and the Journal said: "Such an attack would mark the latest instance in which a large corporate network was breached by a weak external link".
My take? The weak link in this case is an employee, as their personal computer got infected with malware, and guess how that happened. They clicked on a link or were social engineered to open up an attachment that carried a malicious payload. The human is the weak link in IT security, and this latest data breach again shows how true this is. The employee probably fell for a (spear-) phishing attack and clicked on something they should not have.
When hackers broke into Target last year and stole 40 million card numbers, they originally infiltrated the retailer by stealing a ventilation contractor's password, also using the same tactic. J.P. Morgan reported in their annual report that they will spend more than $250 Million per year and have about 1,000 people focused on cybersecurity.
All that time and money is wasted unless you also pay attention to the "human firewall" which you need to create first and foremost. You do that with effective security awareness training for all employees that have a PC and have access to the Internet. KnowBe4 has a highly effective program to stay safe online, both for employees in the office and at the house.
It is vitally important that all employees get educated about the dangers of the Internet. Find out how affordable this is for your organization now.