Cybersecurity
Leave a Comment

Remember The JPMorgan Breach?

written by Pierluigi Stella

http://www.scmagazine.com/states-ask-for-more-information-from-jpmorgan-chase/article/392820/

So 12 States are asking for more information which, as far as I know, Chase is not even obligated to provide.

One thing needs to be cleared immediately.  Why do we continue to consider SSN sensitive, but my home address and phone number no?  My cellphone is not publicly available; so if hackers stole that information, to me that’s sensitive. And, in a way, as much as my SSN.  So let’s be clear – sensitive information was indeed stolen!  Consider that many of us only use a cellphone, and cellphone numbers aren’t in the phone books.  Clearly, this information is confidential, private and sensitive.  My home address may not be so ‘private’, unfortunately, but since my phone number isn’t in the phone book, my home address isn’t publicly available.

home-privacy

Hence, for all those like me who only use a cellphone, a home address is sensitive information as well!

Then let’s consider the letter.

What good can it do?

Chase may want to save face and reply, but I’m not sure what authority these States have.  I’d need to chat with a lawyer to understand regulations, jurisdiction, and associated issues.  Fifty States, 48 data breach disclosure laws; I’m pretty sure Chase has already complied with all of them.  Security practices are already audited by the proper organisms, such as the Feds and the FDIC, which both mandate very strict practices and both audit every bank more than once a year.

Therefore, rather than asking Chase for information the bank likely already provided to the controlling organisms, why not ask those organisms if they’re allowed and willing to share that information?

We don’t need more auditing bodies; the banking industry has plenty!  And with all due respect, States don’t have qualified bodies capable of reviewing the information that has been requested.  This is already being done, it’s clearly only a political stunt to demonstrate to the public that the State authorities are doing something about cybercrime.  Well, I don’t believe this is the direction they should be going.  They should start by securing their own infrastructure and our data.

banking-infosec

As far as I recall by attending industry trade shows, local and state government security lags behind those of banks by about 10 years. At the very least.  If they haven’t all been taken down yet it’s only because hackers don’t care about the data these public entities are protecting (or not protecting).  Lack of funding is always the main complaint of the managers deputed to make those purchases.  If the States truly want to do something serious about security, why not start by allocating more budget to the local governments; making it mandatory that they update their security to standards comparable to those of banks?

Because believe me when I say, there’s no one in this country more secured, more scrutinized and more up-to-date when it comes to security than the Financial sector.

Chase issue or not, all other verticals as well as the public sector should take a lesson on this topic from the financial industry.  I have no idea what happened at Chase; but I know that if it happened to them, it could very easily have happened to anybody else.

This entry was posted in: Cybersecurity

by

Our mission is to produce, configure and maintain effective, affordable, computer security systems to protect the computer systems of enterprises of all sizes. We believe that all companies, regardless of size, should be afforded the same level of protection.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s