When $250 Million Can't Buy Cyber-Peace

Last week's newspapers brought the unsettling news that JP MorganChase’s internal CRM systems were penetrated by unknown attackers, compromising the personal information of 76 million households and 7 million small businesses. The Bank had released a statement to its clients on Thursday noting that “there is no evidence” that account numbers, ATM PINs, or social security numbers were accessed during the cyber attack. Today, news reports indicate that four other large financial services companies including Citibank and E*Trade were targeted by the same group, thought to be based in Eastern Europe or the Middle East. In the case of JP Morgan Chase, the investigation has been focused on the personal computer of a single employee whose system may have been compromised by malware. The incident continues to be investigated by the FBI, Secret Service, and JP Morgan’s own private vendors, so there’s no need to speculate on who is responsible or what other information may have been compromised in the attack. Still I hesitate to note that the Bank’s soft “no evidence” qualifier gives it plenty of wiggle room should the investigation uncover additional data leakages. The point here is that like the two other large data breaches of 2014 -- Target and Home Depot -- the JP Morgan Chase breach occurred in its private data center, the kind that is built at significant cost to resist these sorts of attacks – or at least detect and repel them when they do. JP Morgan’s annual report shares that the bank spends more than $250 million annually on cybersecurity, and will have 1,000 employees focused on the task by the end of this year. Most banks do not have the size or management scale to match JP Morgan Chase’s annual investment, but if even $250 million can’t buy cyber-peace, what chance do average sized banks have of protecting themselves from the next malware du Jour? I contrast this situation with the growing use of cloud services in the financial services industry. While other industries have been quick to embrace the cost, capability, and flexibility of cloud services, the banking industry lags behind -- largely based on valid concerns about information security and control. JP Morgan Chase’s announcement serves as a wake-up call to banks of every size, informing them that when sensitive client data is concerned, private data centers and public cloud providers are partners in the ongoing fight for data security. The next bubble to burst will be the long-held presumption that maintaining customer data in a private data center is inherently safer than storing it in a public cloud. To a cyber-attacker, an IP address is an IP address. Whether sensitive customer data is located on a physical server on the bank's premises or a virtual server located on a public cloud is mostly irrelevant. What really matters is how well a bank (or its service provider) monitors network traffic, detects unusual or malicious activity, and shuts down suspect traffic. The other lesson here is that as always, a little encryption can go a long way in ensuring that customer data is safe from the prying eyes of clever and determined hackers.