But how worried should you be?
“If all they got was essentially marketing data, I think we’ll all be breathing a very heavy sigh of relief,” said cybersecurity expert Brian Krebs. “But it’s probably too soon to say we’ve heard the last of what the bad guys were able to achieve.”
Without critical information, like your password, user ID or credit card number, there is a limited threat to your bank account, he said. That doesn’t mean that JPMorgan customers are completely out of the woods.
Hackers can use the e-mail addressees they lifted for phishing scams to gain access to customer computers. They could send a legitimate-looking e-mail from the bank that contains malicious software or asks customers for log-in or account information.
“It’s best just to go to the site to manage your relationship with the company,” Krebs said. “Avoid clicking links and attachments in e-mail. And that’s general advice, not just specific to Chase.”
Beware of any phone calls from anyone claiming to be from the bank as well, since hackers also got a hold of phone numbers, said Chester Wisniewski, a senior adviser for Sophos, a security software vendor. He said anytime a financial institution calls you, hang up and call the number on the back of your credit or debit card.
“Any legitimate financial company is going to be prepared for that if they’re communicating over the phone,” Wisniewski said.
Things could have been a lot worse if the hackers had ripped off debit or credit card information, as was the case in the Home Depot and Target breaches. That sort of attack requires banks to replace your cards and monitor your accounts for fraud, but JPMorgan officials said those steps are unnecessary because no financial or account data fell into the hands of criminals.
Company spokeswoman Kristin Lemkau said, “We have not seen any increased fraud as a result of this attack. If we did, we’d react differently.”
Any customers who access their JPMorgan accounts through the Web or a smartphone were affected by the breach. Hackers first accessed the bank’s system sometime in June, making additional attempts to siphon off more data until the bank figured out what was happening in August. JPMorgan said it has identified and closed access paths into its network, and have found no evidence that the attackers are still in there. Thieves may have stolen employee passwords to infiltrate the network.
“Anytime there are clearly well-organized, and probably well-funded attackers inside of the country’s largest banks for more than a month at a time, we should be concerned,” Krebs said. “It says a lot about the ability of smaller institutions to withstand similar attacks, especially since Chase has gone on record saying they’re spending a quarter of a billion dollars a year on security.”
As breaches go, JPMorgan was fairly expedient in notifying their customers, Wisniewski said, though it took over a month. That is “still on the long side,” but “if it looks like innocent data was taken, you don’t want to panic people by suggesting more was stolen than really was, so you need a little time to investigate,” he said.
If you’re still feeling unease about your JPMorgan account, Krebs said “there is no substitute for people taking responsibility for their own financial security.”
Identity protection products, he said, are “clean up services” that don’t stop crooks from stealing your identity, but will tell you once it happens. Krebs said the products, which many banks sell as credit card add-ons, are designed to help people recover from identity theft.
In the wake of the string of retail data breaches, many victimized companies set up free credit and identity monitoring for customers. Take advantage of those services if you are eligible, but keep an eye on your account yourself, Krebs advises.