When J P Morgan announced in August that 1 million of its users’ bank accounts had been hacked by criminals, there was an outcry. Many security professionals understandably wanted to know why it had taken the bank 2 months to notify users about cyber-breach. They also wondered whether the bank might have been economical with the true scale of the data breach. However, despite of these misgivings the general consensus was that it could’ve been worse, particularly in light of some of the more severe hacks that had been reported before and since. Now 2 months later the true scale of the illegal penetration of the bank’s defences has come to light, and it seems that not only could it have been worse: it actually was.
In a filing to the Securities and Exchange Commission (SEC), the J P Morgan revealed that it wasn’t 1 million user accounts that were hacked: it was in fact 76 million separate U.S. user accounts and 7 million small business accounts that were compromised. As miscalculations go, that takes some beating. Although the bank has been at pains to point out that there have been no signs of fraudulent activity on any of these accounts, and that there are no indications that any critical information, like account numbers, birth dates or social security numbers have been compromised, the bank’s reputation and credibility has been severely damaged by the cyber-attack.
The fall-out from this highly-publicised data breach has reached right across the Atlantic, and is now being debated in Westminster. In February the Bank of England warned that the British financial sector needed to be better prepared for hackers after a simulated attack. Now an influential group of MPs is investigating whether the financial system is at serious risk of cyber-security breaches, amid growing concerns that customers and businesses are inadequately protected. The House of Commons Treasury Select Committee has held a series of high-level meetings with regulators and other experts on cyber-crime in recent months and is working towards addressing the hacking issue further in the coming months.
The committee is one of the most powerful forces in the financial sector and is responsible for scrutinising the activities of the Bank of England and the Government. It is widely believed that members have raised the issue of cyber-security at a number of private discussions with senior individuals, including at a recent meeting with policymakers at the Bank, and expressed its concerns about crime-crime vulnerability in the financial sector for both institutions and customers. Although the committee has only held one public meeting with the City of London police, it is known that its chairman of the cross-party Treasury Select Committee, Andrew Tyrie, has repeatedly raised the matter with both banks and regulators.
Mr Tyrie told the Sunday Telegraph of his misgivings and his concerns about banking’s vulnerability to cyber-attack:
‘The Treasury Committee has been looking at this issue for a number of years.’ he told the newspaper.
‘The JP Morgan case illustrates the scale of the risks and importance of ensuring that firms, regulators, and, where appropriate, intelligence agencies are taking all reasonable steps to prevent cyber-crime.’
It is believed the committee will call representatives from the financial supervisory bodies, the Financial Conduct Authority and the Bank of England’s Prudential Regulation Authority, for public hearings in the coming months.
Cyber security is an issue that affects all businesses, not just large financial institutions. If you are concerned about the escalating security challenges and risk management issues facing your business today and would like to take precautions, then why not speak to Krypsys? Krypsys’ services are focused on helping your business assess its security posture against current and evolving security threats and educating you on the risks to which you are exposed. We have a wealth of experience in security projects in both the public and private sectors and have worked with organisations to protect high value information assets such as trading platforms, e-commerce systems, data-centres and cloud services. We also work with leading IT security vendors and specialist consultancies to close the gaps in your own IT security strategy and to assist in streamlining and prioritising your risk management spending.
Whether you’re looking for help with penetration testing and security reviews, or are looking for advice on security compliance and web security solutions, Krypsys can help you. For more information on web security solutions, please contact Krypsys on 01273 044072 or [email protected].