Although law enforcement agencies are still sorting out the cause, early reports indicate that the origin of the attack might involve gaining access to the JP Morgan network via a single employee’s personal computer. Unfortunately, this is a common cause of breaches because there is typically a weak link when trying to penetrate an organization’s perimeter—and that weak link could be as small as one employee’s password enabling remote access to his or her system and the network.
It is all too common to see hackers using a small amount of data to access a system, then farming for sensitive data that could gain access to the entire network. In addition, there are oftentimes a great deal more passwords that are buried in the data stored on a computer, and these passwords can be used as a launching pad to attack other machines in the network. Those machines ultimately pave a path toward whatever data the hacker’s ultimate goal is.
Hackers are harvesting sensitive data such as passwords to gain further access to an organization, but once they have access, they’re then taking other sensitive data such as credit card numbers, account information, social security numbers, trading information, and intellectual property. A large enterprise like JP Morgan typically has all of the above—and with the number of customers JPMC has, it is a huge target for stealing information that could lead to identity theft.
Stealing social security numbers provides a quick win for hackers, as opposed to a different piece of data that could be used for insider trading, simply because selling an SSN on underground websites is harder to trace than buying and selling stock using insider secrets on the market. As we saw with Target, one contractor’s password ultimately led to the theft 40 million credit cards. While Target suffered not only from a great legal and recovery expense, but also loss of revenue, the hackers have been profiting selling that sensitive information ever since.
Attacks today are less about defacing a website, shutting down a system with denial of service, or sabotaging a company: they are more about data. Stealing the data for illicit use such as breaking into other systems or selling the data to other criminals is the end game, and once you understand that, it is easy to see that sensitive data management must be a high security priority.