On Tuesday, information emerged about the JPMorgan Chase breach in 2014 where data on approximately 80 million customers had been stolen.  From the details in the indictment of the accused perpetrators, fourteen other firms in the financial services sector were also targeted(although not all confirmed to have been breached) including ETrade, Scottrade, the Wall Street Journal, TD Ameritrade, Fidelity Investments, Dow Jones, and a Boston-based mutual fund firm.

The long and short of it is this: customer data, not including the attributes normally associated as higher value like SSNs and account numbers, was easily monetized through criminal activity, online casinos, and pump-and-dump stock manipulation schemes, generating millions of dollars.  Criminals targeted customers to get them to purchase stocks, which were artificially inflated and shown to be continuing their increase in value.  The stocks were then dumped for a profit, sending their value down the drain and leaving the investors at a loss.

That being said, the first lesson is that your customer and other non-public data, even without the high value bits, is worth much more than most companies valuation. This data will continue to be targeted as cybercrimes like these evolve, and it deserves more protection.

The indictment also revealed the method the criminals used to hack some of the data, which provides us with the second lesson.  The cyber attackers involved were not just on the outside looking to get in; they seemed to be veterans of the financial industry.  They used their customer, merchant, and third party vendor accounts as well as created multiple shell accounts and identities to footprint, find, and exploit vulnerabilities in these institutions.

While insider threats are usually well vetted and vendor/third party risk is currently a popular topic, how often have possible threats and risks from your own customers been reviewed?  The lesson here? Paying customers can be attackers.  Perform penetration tests and application vulnerability scans from their perspective and ensure least privileged access.

Lesson three is unpatched vulnerabilities should be taken more seriously.  Heartbleed was a very high profile vulnerability which affected just about every SSL service running on every device.  Everyone in the IT/IS communities understood the vulnerability, the exposure, and were quick to patch it.  However, some organizations took days and even weeks to completely patch for Heartbleed after its public announcement and there is supporting evidence that the criminals were successfully gaining access to these systems during that time. 

Does your organization underestimate being exposed to vulnerabilities for even a short period of time, or do they understand a breach could have taken place and hunt for indicators of compromise?   This is a question of culture and security mindfulness, to accept that even the smallest exposure can result in the worst case scenario.

Additional attack methods by the criminals in the indictment included brute forcing passwords and social engineering credentials to the Scottrade and ETrade networks.  These types of attacks should rarely occur if appropriate polices and access controls are in place, such as two-factor authentication and policies for account lockout and password complexity.

The events at JPMorgan Chase might be a glimpse into the future of cybercrime, which is just a piece of a puzzle in a larger criminal enterprise. This was "hacking to support a diversified criminal conglomerate," Manhattan U.S. Attorney Preet Bharara said.  "Fueled by their hacking, the defendants’ criminal schemes allegedly generated hundreds of millions of dollars in illicit proceeds."