JP Morgan Breached, Again - Ucard Program Targeted

JP Morgan Breached, Again - Ucard Program Targeted

JP Morgan was breached for the second time in 2 years with their Ucard program being the center of the attack. 2013’s attack led to 50,000 people being exposed, while the current attack numbers are still being tabulated. Forensics and numbers are being produced at a rapid rate, with the aid of federal law enforcement (FBI, Secret Service) agencies. This Zero Day Attack exposed a very well funded security network. The attack was discovered doing a routine scan and at that point, it was way too late. The attack continues to challenge the reasoning why companies continue to store such toxic data having a very tacit understanding of the consequences. Will this Breach change the way JP Morgan handles its sensitive data in the future? Will this Breach change the way JP Morgan handles your sensitive data?

What is a Zero Day Attack and Can it be Stopped??

A Zero day vulnerability refers to a hole in software that is unknown to the vendor. Bluntly stated, these are unknown channels where cyber-thieves penetrate the infrastructure and slowly release malware that exposes sensitive data. Unfortunately, there is no way to stop the Zero Day Attack. Organizations must work backwards to see where the hole resides in their data environment. By the time most organizations realize that they have been breached, it is too late and the data will be gone forever.

Who is Responsible and How Did They Gain Access?

JP Morgan has not come out and directly blamed any one group, but all forensics point to a hacking group based out of Russia. Using very advanced tools, the cyber-thieves penetrated deep into the bank’s infrastructure, quietly draining gigabytes of sensitive data, including customer-account data, until mid-August. Then, the hackers routed the attacks through computers in several countries (Onion Networks), which is a technique designed to hide identity. The traffic was redirected to a large city in Russia, according to another person familiar with the probe.

The cyber-thieves gained access to the bank’s data center, collecting credentials and other PII (Personally Identifiable Information) that customers give the bank and that the bank gives customers through the Internet. Investigators found multiple layers of malicious software designed to compromise specific weaknesses in the JP Morgan network. No specifics on the amount of records breached or people involved in the breach have been reported. Both the FBI and Secret Service are getting involved with the investigation.

Who is impacted?

Anyone who banks with or uses the JP Morgan financial platform. The first government entity to report that there records were breached, The State of Louisiana Department of Children and Family Services. The LDCFS was one of the first to receive notification of the breach. JP Morgan provides pre-paid debit cards (Ucards) for income tax refunds, and other state funded programs. These pre-paid debit cards extend to many more state and federal entities. Therefore, be prepared for an obscenely large amount of organizations reporting breached data. Both the FBI and Secret Service are now actively involved in the investigation. The JP Morgan Ucard program extends to similar programs in Utah, Texas, Connecticut, Illinois, Pennsylvania, Ohio, New York, Missouri, Kansas, and Oklahoma. This is the second data breach for JP Morgan in the past 2 years. Last year’s breach led to the exposure of 50,000 people.

Will History Repeat Itself?

The numbers say yes. Most financial institutions will look at this breach and convince themselves that they are not in harm’s way. JP Morgan thought the same way, twice. You can only hope that this massive breach will change the way JP Morgan and other financial institutions handle and manage sensitive data in the future. They have 2 painful examples in which to deduce a new data security strategy. Other financial institutions must take heed from what these breaches cause both internally and externally.

It is easy to point out what others have failed at without offering a solution. That is why I want to directly challenge your current data security methodologies. As a former QSA for the PCI Security Council, I understand risk points and vulnerabilities. The only solution is to remove toxic data from your environment, lowering your risk & compliance.

Tokenization removes Toxic Data and Risk

Tokenization is pretty perfect for these types of hacks.  Essentially, Zero Day attacks are the worst – no doubt.  However, if there’s no sensitive data there to breach then the “attack was successful, but the breach was unsuccessful.”  That should be the goal organizations have in protecting their sensitive assets. By simply, tokenizing all sensitive data, you reduce your PCI scope and compliance by up to 95%. Batch Tokenization and Credit Card Vaulting are two of our specialties. You retain unlimited flexibility in how you access, store, and secure your sensitive information. TokenEx is not limited to just tokenization of payment card data, as we can Tokenize ALL data sets. For more information on how you can reduce your PCI compliance and scope, while still maintaining complete control over your tokenized data, visit Follow us Twitter and LinkedIn.


Topic(s): payments , data security , PCI DSS , tokenization

Keep Up With Our PCI & Privacy Blog