Chase Breach: Lessons for IndiaKey Security Takeaways for Indian Financial Institutions
The breach of financial giant JPMorgan Chase in the United States poses difficult questions for the financial services industry. Namely, if hackers can infiltrate Chase, is any financial institution safe?
JPMorgan Chase has confirmed that the breach affected personal information, such as e-mail addresses, tied to 76 million U.S. households as well as 7 million businesses.
Beyond that, however, getting solid details about the breach continues to be difficult. The incident appears to have begun in early June, but reportedly wasn't detected by the bank until late July. Various anonymous sources have discussed the possibility that Russian attackers were involved, and also suggested the same gang probed or exploited a total of 10 financial services firms.
With news of the breach still trickling in, information security experts weigh in on the Chase breach implications for financial services firms in India.
JPMorgan Chase India Responds
Executives at JPMorgan Chase in India did not want to speak on the record about the U.S. breach, but one high-level source, agreeing to speak without attribution, says its security team is already implementing new security controls in response. According to this source, the 2015 security agenda has a single goal: to not allow client data and organisational reputation to be compromised.
"My biggest concern is around protecting client data and the reputation of the company, which are the first to be affected when such incidents occur," the JPMorgan Chase executive says.
Already, JP Morgan Chase is setting up cybersecurity cells at the country and regional levels, which will help in detecting the possible threats and in pre-empting any attacks. "The cybersecurity cell formed with key members will take proactive measures in identifying potential threats for the organization and take suitable steps to dissolve the opponent's activity," the Indian source says.
Further, the source says, the institution will take a three-tier approach to securing its environment:
- Deploy multi-factor authentication security tools and technologies at the operations level to avoid any operational errors;
- Tighten the PGP encryption security tools at various layers within the organisation;
- Provide training to internal and external customers to create awareness about potential attacks and the necessary precautions to be taken.
According to the source, JPMorgan Chase is increasing global investment in the necessary tools and technologies and on training to protect its intellectual property.
India Reacts to Breach
Reaction to the JPMorgan Chase breach has a common global thread: If one of the largest institutions in the world can be breached, how safe is any organization?
"Cybercrime incidents in Indian banks are largely motivated by money rather than ideology, politics or cyberwar," says K S Narayanan, CISO at ING Vysya Bank, based in Bangalore. "However, every event like this calls for introspection and internal assessment."
Neeraj Aarora, cyber lawyer and strategist at the Indian Institute of Corporate Affairs, Indian Law Institute, argues that the attack was the result of continuous scanning and unauthorised access and might have generated alerts that could have been discarded as false or not analysed at all.
Aarora says the JP Morgan episode has forced the Indian banking industry to give utmost priority to information security.
Cybersecurity expert B Muthukumaran, with DGM-Security Training at HTC Global Service India Pvt. Ltd., questions the length and scope of the infiltration.
"The breach, with enough time of stay within the servers as mentioned in the news, makes one wonder what the team was looking for within the servers," he says. "If the data collected was just names, e-mail IDs and phone numbers, the time spent defies logic. If the exercise was a cover, the motive must be investigated in detail."
V Rajendran, an advocate and cyberlaw consultant and president of the Cyber Society of India, says the direct implication to Indian banks is the need to adhere to more stringent security frameworks - and be prepared to respond openly in the event of a breach.
"Banks often do not share news of such attacks with employees or customers, nor take up confidence-building measures to address the issue," Rajendran says.
One lesson learned from this breach is that such incidents often pave the way for phishing campaigns against the breached entity's customers. Therefore, says Nandkumar Saravade, an independent adviser on fraud, security and vigilance, banks and enterprises must improve phishing awareness programs for customers and stakeholders.
Saravade says key steps include:
- Create customer awareness about breaches;
- Deploy effective tools to monitor every customer transaction for anomalies ;
- Employ PCI-DSS standards across internal and payment processes.
Indian security experts lament that the position of a CISO, as mandated by National Cyber Security Policy is not followed in the true spirit. Aarora suggests that the Indian industry urgently do the following:
- Have the CISO directly report to the management or CEO instead of the CIO or IT head;
- Follow the information security lifecycle strictly in terms of confidentiality and integrity of company information assets;
- Have training and awareness sessions on information security and IT laws for all stakeholders.
Aarora recommends security heads sign stringent service-level agreements with all third-party vendors because any lapse by the vendor would make the host organization liable for breach of privacy as per section 43A and 72A of the Information Technology Act 2000.
Cyber law expert Rajendran believes that "due diligence" as applicable for intermediaries who handle the data of customers will have a significant role to play in all such litigations: Banks must prove the strength of their security practices, otherwise they will be held liable.