Asda insurer and 83m JPMorgan customers hacked

A UK-based insurer has joined banking group JPMorgan in admitting this week that it has been hacked, with 83 million customer accounts compromised on the latter.

Post Carbanak, bank CEOs fear cyber-attacks will harm business growth
Post Carbanak, bank CEOs fear cyber-attacks will harm business growth

Global banking giant JPMorgan admitted this week that 83 million of its customer accounts were breached in August. And the UK's Brightside Group – which manages car insurance for Asda and Debenhams and runs the eCar brand – has also admitted to suffering a security breach. Brightside has more than 400,000 individual and business customers in the UK.

At JPMorgan, the bank's customers are now being warned to expect phishing attacks, after it said in a regulatory filing on Thursday that hackers have obtained the names, phone numbers, email and postal addresses of 76 million individual customers and seven million small-business customers.

The breaches hit the firm across its Chase.com and JPMorganOnline websites and its Chase and J.P. Morgan mobile apps.

The hack was first reported by the Bloomberg new agency in August, when estimates put the compromise at about a million customer accounts.

Bloomberg said at the time that another four US-based banks were also hacked in what is suspected to have been an attack by Russian cyber criminals using a zero-day flaw. The FBI is investigating.

JPMorgan's shares fell on news of the admission. The firm has clients in more than 100 countries and currently spends £156 million (US$ 250 million) a year and deploys around 1,000 staff on cyber security.

Bank senior vice president Neila B Radin said in its Thursday statement: “User contact information – name, address, phone number and email address – and internal JPMorgan Chase information relating to such users have been compromised. The compromised data impacts approximately 76 million households and seven million small businesses.

“However, there is no evidence that account information for such affected customers – account numbers, passwords, user IDs, dates of birth or social security numbers – was compromised during this attack.” JPMorgan also said it has not seen any customer fraud related to the hack.

Commenting on the breach, Mike Loginov, secretary of the ISSA-UK security professionals organisation and CEO of cyber security consultancy firm Ascot Barclay, said it would likely lead to phishing attacks on the compromised users.

He told SCMagazineUK.com: “Criminal gangs are harvesting this data for future use. They're collecting information from an organisation that deals not with the average man-in-the-street but perhaps people who are of a more wealthy nature which is obviously what's attractive to the criminal gangs - and that would point to phishing activity.”

Another security expert, Check Point UK managing director Keith Bird, echoed this warning. He said in a statement to journalists: “Although detailed data on accounts is reported to be safe, the attackers were able to steal a range of contact information. So customers need to be very careful not to click on links in emails which appear to come from JPMorgan advising them about changes to account security, no matter how authentic the email seems to be.

“Attackers will try and trick customers affected by the breach into revealing more details, such as account numbers and passwords. For the attackers, it's just a numbers game, but it could have serious consequences for customers. Phishing emails continue to be the most common source for social engineering attacks.”

Brightside

Meanwhile, UK-based Brightside Group admitted in a statement sent to SCMagazineUK.com on Friday that it suffered “a perimeter security breach to its IT system” on Monday 29 September. But the group claims “no customer data had been taken”.

Brightside said that on Monday evening, a hacker claimed they were going to post Brightside policyholder information on Twitter. Following its investigation protocols, the group identified a risk, temporarily closed down its websites and had the hacker's Twitter account removed.

The group added: “As the hacker gained a perimeter-level entry, Brightside has taken the precaution of a detailed security review of its databases, which showed that customer data has not been compromised.

“A complete review of security, utilising both internal and external data security expertise and detailed penetration testing, is taking place to ensure all customer data remains secure and safe.”

The group said it is aware of how the breach occurred and has removed the exposure.

Brightside describes itself as one of the fastest growing insurance broking and financial services businesses in the UK. It runs the vehicle insurance schemes offered by high-street retailers Asda and Debenhams, and the eCar insurance brand.

Brightside is directing customer enquiries to 03332 224561 or enquiries@ecarinsurance.co.uk.

Commenting on this breach, Loginov told SC: “It's another company that's now stating that they have been breached and we'll continue to see this - it's a rising trend, it's not a diminishing trend.

“There's a creeping realisation by organisations that breaches are wide-ranging, and there's probably not an organisation on the planet that has at some point been breached, whether they know it or not. Every organisation should take the healthy view that they have been breached and work back from that position.”

Sign up to our newsletters