JP Morgan identifies insecure server as entry-point for summer hack

Server overlooked by security staff when JP Morgan implemented two-factor authentication

Global investment bank JP Morgan has identified an unpatched server as the point of entry for an attack on the bank, which led to claims that the personal details and even account information of as many as 83 million people were stolen - among other losses.

The attack, which started around April, but was only recognised in the summer, occurred after the hackers stole login credentials from a JP Morgan employee. While JP Morgan uses two-factor authentication, one of its network servers had not been upgraded accordingly, making it easy for the attackers to gain entry to the company's networks once they had identified the weak link.

The bank is now analysing its sprawling network in a bid to highlight other potential weak points in its security, according to the New York Times.

JP Morgan spends some $250m every year on security and in a bid to tighten security still further in the aftermath of the attack has set up a "business control group" of technology and security executives to re-assess its security and what it needs to do to prevent attackers in the future. The group meets about once a month.

Despite claims that system blueprints were stolen, JP Morgan insists that the attackers got away with no more than email passwords, home addresses and telephone numbers. The bank claims that it has not seen any evidence of fraud or attempted fraud arising from the attack. Spokeswoman Patricia Wexler said that no account information had been accessed.

However, the attackers were able to gain high-level access to more than 90 of the bank's servers and, unlike the recent devastating Sony Pictures attack, the attackers' desire for stealth meant that no malware or other destructive tools were used in the attack. The bank may also be working with the US National Security Agency (NSA) to sweep the network to make sure no "back doors" were left behind, that the attackers could use to return.

According to the New York Times, "this summer's hack occurred during a period of high turnover in the bank's cybersecurity team, with many departing for First Data, a payments processor".