The JP Morgan Chase Bank data breach that caused damage to over 76 million households and 7 million small businesses has sparked waves of controversy leaving questions on how the attack was orchestrated, new reports state JP Morgan was breached through a corporate sponsor event website.

JPMorgan Chase Bank discovered that hackers had infiltrated both the banking servers and the JP Morgan’s Corporate Challenge website with the same offshore servers, causing damage for over two months.

It was not made clear when the bank identified the link between the breach or if the company would if hackers had not used the same I.P. address to launch several cyberattacks on both the bank and Corporate Challenge race website, the Wall Street Journal reported, citing people briefed on the matter.

One security firm that identified the breach noticed the stolen J.P. Morgan database contained combinations of email addresses and passwords used by race participants who had registered on the Corporate Challenge website.

More disturbing is in the stolen database, criminals had access to the certificate for the Corporate Challenge websites vendor, Simmco Data Systems, indicating a serious breach occurred, allowing hackers to pose as the website operator and intercept traffic pushed through and from the site, such as race participants’ login combinations, said one person briefed from the security firm.

More frightening is the stolen certificate from Simmco Data Systems dated back to April, suggesting hackers first compromised the certificate, launching their attacks at least four months prior to the bank identifying unusual activity within its own network.

Considering hackers had access to over 90 internal servers inside the bank, hackers could have caused far more severe damage.

The Corporate Challenge website operated by Simmco Data Systems was taken offline shortly after the Chase bank data breach was publicly announced, reported briefed persons.

Though the website was taken offline shortly after the breach, the website has since been revived, remaining vulnerable, holding dates for the banks upcoming races in Shanghai and Singapore, but has moved payment and registration to a Chase website.

The point of entry was identified as hackers compromising the computer of an employee with higher privileged network access, the device was used both at work and at home. Hackers took control of the computer allowing them access to the banks network while allowing them to steal contact data and the financial records of 83 million.

The JPMorgan Chase Bank data breach has unearthed a great deal of controversy, even gaining the attention of New York State State Financial Service Regulators. Regulators urged banks to close the gaping security holes in their services, listing a number of methods financial service providers could implement.

Due to the massive data breach, JPMorgan’s chief executive, Jamie Dimon, suggests he may increase the company’s security defense budget from $250 million to $500 million.

Though the single data breach has caused much controversy, the growing number of companies suffering data breaches remains at an all time high, solutions need to target all industries, not just financial institutions.

The FBI alone has said over 500 million financial records have been stolen in the past year due to data breaches, leaving half of the United States population identities leaked on the internet. In one year, hackers have managed to publicize nearly half a countries population without walking into a building or out of their own front door.

Sparking controversy throughout the FBI among others, solutions need to be identified quickly as the growing list expands at rapid rates.

Sources:

Wall Street Journal

New York Times