Network Breaches Case Study: JP Morgan
Date: July 2014
Impact: 76 million households and 7 million small businesses
Details: The largest bank in the nation was the victim of a hack during the summer of 2014 that compromised the data of more than half of all US households – 76 million – plus 7 million small businesses. The data included contact information – names, addresses, phone numbers and email addresses – as well as internal information about the users, according to a filing with the securities and exchange commision.
Impact: 76 million households and 7 million small businesses
Details: The largest bank in the nation was the victim of a hack during the summer of 2014 that compromised the data of more than half of all US households – 76 million – plus 7 million small businesses. The data included contact information – names, addresses, phone numbers and email addresses – as well as internal information about the users, according to a filing with the securities and exchange commision.
The bank said no customer money had been stolen and that there was “no evidence that account information for such affected customers – account numbers, passwords, user IDs, dates of birth or Social Security numbers – was compromised during this attack."
Still, the hackers were reportedly able to gain “root" privileges on more than 90 of the bank’s servers, which meant they could take actions including transferring funds and closing accounts. According to the SANS Institute, JP Morgan spends $250 million on security every year.
In November 2015, federal authorities indicted four men, charging them with the JP Morgan hack plus other financial institutions. Gery Shalon, Joshua Samuel Aaron and Ziv Orenstein faced 23 counts, including unauthorized access of computers, identity theft, securities and wire fraud and money laundering that netted them an estimated $100 million. A fourth hacker who helped them breach the networks was not identified.
Shalon and Orenstein, both Israelis, pleaded not guilty in June 2016. Aaron was arrested at JFK Airport in New York last December.
Solutions:
Accountability:
The GDPR places accountability obligations on data controllers to demonstrate compliance. These include accountability measures such as: Privacy Impact Assessments, audits, policy reviews, activity records and (potentially) appointing a data protection officer (“DPO”).
Privacy by Design:
With regard to Privacy by Design, the enterprise will need to ensure implementation of technical and organizational measures to show that they have integrated data compliance measures into their data processing activities, such as adopting policies that ensure compliance with data minimization obligations. This is one main reason that Data Protection Officers must have expertise in technical and administrative data protection controls.
No comments:
Post a Comment