October is National Cyber Security Awareness month 2014, and, almost as if right on cue, cyber-attacks have been in the news.
First, there is news that as many as 83 million customer records from JPMorgan Chase & Co. were compromised in a massive cyber-attack that occurred last summer. JPMorgan, the largest U.S. bank in terms of assets, revealed in a regulatory filing last week that the widespread data breach affected customers who used the bank’s Chase.com and JPMorganOnline websites, as well as the Chase and J.P. Morgan mobile apps. While the breach may have compromised users’ contact information—such as names, address, phone number and email addresses—the bank says “there is no evidence” that customers’ financial information such as customers’ account numbers and passwords, as well as their Social Security numbers, were compromised.
JPMorgan emphasized that it has yet “to have seen any unusual customer fraud related to this incident.” Spokespeople also said the bank continues to investigate the matter and is cooperating with government authorities in their ongoing investigations into the breach. The Federal Bureau of Investigation and various security firms focused on digital forensics are also investigating the attacks.
Cybercrime experts nevertheless warn that years of fraud may stem from the hack because criminals can use the stolen data to “phish” for customer passwords. Their first step will likely be to use the information to send customers emails supposedly from JPMorgan Chase. Links embedded in those emails could be used to trick customers into revealing their passwords.
Other, perhaps more troubling, cyber-crime news came from the Department of Homeland Security (DHS) and the FBI. The groups jointly announced they have seen an increasing exploitation of business networks and servers by disgruntled and/or former employees. Some of these cases have resulted in significant FBI investigations in which individuals used their access to destroy data, steal proprietary software, obtain customer information, purchase unauthorized goods and services using customer accounts, and gain a competitive edge at a new company.
Additionally, multiple incidents were reported in which disgruntled or former employees attempted to extort their employer for financial gain by modifying and restricting access to company Web sites, disabling content management system functions, and conducting distributed denial of service attacks.
The theft of proprietary information in many of these incidents was facilitated through the use of cloud storage Web sites and personal e-mail accounts. In many cases, terminated employees had continued access to their former employer’s computer networks through the installation of unauthorized remote desktop protocol software, which was installed prior to their leaving the company, according to the DHS and FBI.
A review of recent FBI cyber investigations shows that the cost to businesses for these attacks by disgruntled or former employees ranges from $5,000 to $3 million. Businesses reported various factors were used to create those cost estimates, including calculating the value of stolen data, assorted information technology services, the establishment of network countermeasures, legal fees, loss of revenue and/or customers, and the purchase of credit monitoring services for employees and customers affected by a data breach.
It’s one thing to learn that a major bank with significant resources at-hand was a victim of a cyber-attack. Time will tell, hopefully, who was behind that attack. News that crimes by disgruntled or former employees, on the other hand, are even more worrisome because they show that such crimes could take place at any company. Is your company prepared for cyber-attacks, whether they stem from crime syndicates or employees?