Governance & Risk Management , Incident & Breach Response , Security Operations
Arrests Pending in Chase Breach?
Experts Analyze Bank Breach Investigation DevelopmentsThe federal investigation into the spring 2014 data breach at JPMorgan Chase could result in criminal charges being filed in the "coming months," according to a news report. Investigators reportedly believe that at least some of the perpetrators are "gettable," meaning they reside in a country with which the United States has an extradition treaty.
The New York Times report quotes unnamed individuals with knowledge of the FBI's investigation into the hack attack against Chase, which was discovered in August 2014, and which exposed information related to 76 million households and 7 million small businesses. Attackers reportedly made off with "gigabytes" of sensitive data after tricking an employee via a social-engineering attack, and then gaining access to a sensitive server that Chase failed to upgrade to require two-factor authentication controls, the newspaper reports (see Phishing: Learning from Recent Breaches).
Chase declined to comment about the The Times report, which claims that the attack against the bank was less sophisticated than investigators first suspected, which has allowed the case to proceed relatively quickly.
In the wake of the breach being discovered, Chase pledged to double its annual security budget over the next five years from $250 million to $500 million to bolster information security practices (see Chase Breach: What We Know So Far).
How Investigations Progress
Some cybercrime and fraud experts, however, have questioned aspects of The Times report. For example, if the suspects are located in a country that has an extradition treaty with the United States, why haven't they already been charged and arrested overseas, and related U.S extradition requests filed? "Those who are being arrested could very well be part of a larger crew where the 'Mr. Big' could very well be Eastern European," Tom Kellermann, chief cybersecurity officer at security firm Trend Micro, tells Information Security Media Group.
But attorney Mark Rasch, who created the Computer Crime Unit at the U.S. Department of Justice, tells ISMG that there's no fixed pace at which cybercrime investigations will unfold. "To investigate these cases usually takes anywhere between days, weeks, months, years or never," he says. "It all depends on the amount of resources you're willing to dedicate, [and] the sophistication of the hackers. If they're really, really good, you may never catch them. If they're less good, you can catch them, and if they're really bad, they basically have a neon sign pointing that says, 'Arrest Me.'"
Attorney Mark Rasch discusses the duration of cybercrime investigations.
Prosecutions: Not a Given
As that suggests, federal prosecutors do not file charges in every case involving online crimes - even for such high-profile victims as Chase, which is the largest U.S. bank. So far, for example, no criminal charges have been filed in the wake of massive breaches involving the breach of Target that was discovered in December 2013, which resulted in the theft of 40 million payment card details and personal information about 70 million customers. Likewise, no charges have been filed in cases that related to Home Depot, eBay, or even the Sony Pictures hack, although the U.S. government says it has attributed that attack to North Korea.
Rasch emphasizes that many cybercrime cases will never result in related charges being filed, perhaps because investigators simply cannot amass sufficient evidence. "It's frequently difficult to get prosecutors to investigate computer crime cases, because they're difficult to investigate, require a lot of resources, the success rate is low, and by and large, what the good guys want is just for the bad guys to go away," he says. "So, the cases that get prosecuted are the ones that are high profile, either because of the nature of the victim, the nature of the plaintiff, and the defendant; naked pictures of celebrities; or [because] it involves North Korea."
Attribution: Stay Skeptical
What's notable about the recent Times report is that it doesn't attempt to attribute the attacks to individuals operating from a specific country. That's quite different from the days following the discovery of the breach, when, for example Bloomberg News - quoting anonymous sources with knowledge of the investigation - reported that U.S. officials suspected that the Russian government ordered the hack as a reprisal the West's Ukraine sanctions against it (see New JPMorgan Chase Breach Details Emerge). But by October, the FBI said it had ruled out the Russian government as a suspect.
But even in August 2014, many experts were warning against trusting anonymous reports that attributed the attack to Russia, and claims - reported by The Times - that experts were linking the breach to Eastern European hackers. "It's like any crime," Alan Woodward, a professor in the department of computing at the University of Surrey in the United Kingdom, told Information Security Media Group. "You don't go around alleging any crime unless you can prove it."
Likewise, Dublin-based cybercrime expert Brian Honan emphasized the difficulty of attributing online attacks. "It takes a lot of additional evidence and expert analysis to identify the person sitting at the keyboard at the computer," he said.
Watching For Ringleaders
Financial fraud expert Avivah Litan, an analyst at the consultancy Gartner, says much of the early blame on Russia could be linked to the perceptions of Chase's own security team. She says the team at Chase, which has deep intelligence and numerous members with law-enforcement backgrounds, "reportedly has a predisposition for assigning blame to a nation-state."
Nevertheless, Litan says it will be interesting to see if the alleged upcoming arrests reported by The Times actually nab the ring leader or leaders. "If they don't, I think the jury will still be out," she says.