The cyberattack on JPMorgan Chase that enabled the largest known American bank intrusion to date could have been prevented with a simple security fix, according to new data.
A report from the New York Times identifies the hackers’ entry point. The attack, which ultimately compromised the contact information of 76 million households and 7 million small businesses, started last spring when one employee’s login information was stolen.
Things could have stopped there, but JPMorgan’s security team failed to update one of its servers to include two-factor authentication, according to anonymous sources from within the company referenced in the report. The bank officially revealed the scope of the breach in October.
SEE ALSO: 11 free tools to protect your online activity from surveillance
Two-factor authentication is one of the most basic extra layers of security access. It means that in addition to a user’s regular password, you need another one-time, uniquely generated code that may be sent to your smartphone, for example. That single server — without such protection — left the bank wide open for intrusion since it only required the stolen login credentials and not a secondary code.
JPMorgan is now undergoing a top-to-bottom internal review that is looking to weed out security holes in its network. The bank views the breach as a public embarrassment, according to Times.
JPMorgan Chase maintains that no account information or social security numbers were compromised in the breach, only contact information like phone numbers and email addresses. Hackers could exploit this information through phishing schemes, like fraud email messages or phone calls purporting to be from the bank.
The bank claims it will never ask for your personal information in an email or text message