There’s an old adage in the media industry about rating the newsworthiness of a story – “dog bites man” versus “man bites dog”. The implication is a story that is unusual or has a much greater impact would garner a lot more interest from readers than would an article that’s your average, run-of-the-mill news article. Unfortunately, we may be coming to the point soon where major, large-scale data breaches could fall into that latter category of news.
According to published reports, authorities are investigating coordinated cyber-attacks carried out against JPMorgan Chase and several other financial firms this month that resulted in large amounts of data, including checking and savings account information, being stolen. JPMorgan is just the latest in a string of high-profile data breaches that have been reported this month. Last week, Community Health Systems Inc., which owns, leases or operates more than 200 hospitals in 29 states announced that it suffered a cyber-attack earlier this year resulting in the information of more than four million patients being compromised. Just two weeks ago, Supervalu, which operates more than 3,300 grocery stores across the country said that it is investigating a breach that may have affected more than 1,000 of its stores. Among some of the other businesses targeted by hackers this year include Neiman Marcus, P.F. Chang’s and Goodwill Industries.
And on and on it goes. Target, which suffered a massive data breach late last year that included the theft of millions of customers’ debit and credit card numbers, is still reeling from the impact of the attack. The retailer recently reported that it has thus far incurred $148 million in breach-related expenses.
The level of sophistication involved in the attack against JPMorgan, which reportedly originated in Russia, has led some to believe that the hackers were aided by the Russian government, possibly in retaliation for the sanctions levied against it by the U.S. for their hand in the ongoing conflict in Ukraine.
“The Russians performed a zero-day attack to gain initial access to the network. By definition, this means they leveraged a vulnerability, or flaw, that was previously unknown,” said Greg Kazmierczak, CTO of Wave Systems Corp. “There is no such thing as fool-proof security; especially when the attacker is a well-funded, highly-skilled, and highly motivated nation-state."
Other experts agree that the capabilities demonstrated by the hackers who were able to infiltrate JPMorgan’s network were well-beyond that of a typical cybercriminal.
“JPMorgan and similar entities employ sufficient technology to protect themselves from criminals, but typically fail to invest enough in technology and process to shield themselves from nation-state’s ability to access their systems at will. The lesson to be learned is that the financial services sector needs to up its cyber security game to move up from commercial security to military-level security,” said Philip Lieberman, president of Lieberman Software.
Nonetheless, that doesn’t mean there aren’t steps organizations can take to better protect themselves. Some data security experts are even advocating for the elimination of passwords in favor or newer, more secure forms of authentication.
"Hackers, whether they're from Russia or Rochester, will always steal passwords. It's a fact of life that the companies that store them and the users who use them can no longer avoid. There's a simple, clear solution to this problem that will soon become the norm: don't use passwords,” said Scott Goldman, CEO of TextPower. “Other forms of authentication are available and should be employed by any company with data that's worth stealing - and that's every company.”
However, others argue that these types of breaches are unpreventable and only by employing a higher level of encryption can data be better protected.