Anatomy of a Breach

Anatomy of a Breach: JP Morgan Chase — 76 Million Households Compromised at America's Largest Bank

> series: anatomy_of_a_breach —— part: 067 —— target: jp_morgan_chase —— households: 76,000,000 —— security_budget: $250,000,000<span class="cursor-blink">_</span>_

Hedgehog Security 31 July 2014 13 min read
data-breach jp-morgan banking 76-million financial-services apt series
Breach #067

$250 million security budget. 76 million households compromised.

In October 2014, JP Morgan Chase disclosed that attackers had breached its systems during the summer of 2014, compromising data on 76 million households and 7 million small businesses — making it the largest breach of a US financial institution at the time. The stolen data included names, addresses, phone numbers, email addresses, and internal JP Morgan information about account types. JP Morgan stated that no financial data (account numbers, passwords, Social Security numbers) was stolen, and that there was no evidence of fraud resulting from the breach.

The breach was particularly striking because JP Morgan spent approximately $250 million annually on cybersecurity and employed over 1,000 security staff — one of the largest security operations in the financial sector. The attackers had gained initial access through a compromised employee's credentials and exploited a server that had not been upgraded to two-factor authentication — a single server in an otherwise well-protected infrastructure. The breach persisted for approximately two months before JP Morgan's security team detected it, demonstrating that even the most well-resourced security operations have gaps.

The Gap
Recommended

Not sure where to start?

We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.

Free Scoping Call

One server. No MFA. 76 million records.

The JP Morgan breach is the most compelling evidence in this entire series that security is determined by its weakest point, not its strongest. JP Morgan had enterprise-grade security across most of its infrastructure — but one server had not been upgraded to require two-factor authentication. The attackers found that server, used compromised credentials to access it, and from there moved laterally into systems containing 76 million customer records.

The One Server Without MFA
In an organisation with 1,000 security staff and a $250 million budget, a single server without MFA was the entry point that compromised 76 million records. This underscores why <a href="/cyber-essentials">Cyber Essentials Danzell</a> makes MFA an auto-fail criterion — because even one unprotected access point invalidates the entire investment. Our <a href="/penetration-testing/infrastructure">penetration testing</a> identifies these gaps systematically.
Budget Does Not Equal Security
$250 million per year. 1,000 security staff. Still breached. The JP Morgan case proves that security is not a spending problem — it is an implementation problem. Every control must be applied universally, tested regularly, and monitored continuously. <a href="/vulnerability-scanning">Vulnerability scanning</a> identifies the servers that have been missed.
Financial Services Under Attack
JP Morgan was the largest — but not the only — financial institution targeted. The attackers behind the JP Morgan breach were linked to attacks on multiple financial firms. Our <a href="/blog/sector-under-the-microscope-financial-services">financial services sector analysis</a> examines why the sector remains one of the most targeted.
Two Months Before Detection
Despite a $250 million security operation, the breach persisted for approximately two months. <a href="https://www.socinabox.co.uk">SOC in a Box</a> provides 24/7 monitoring that reduces dwell time from months to hours — because even the best-resourced internal teams have coverage gaps.
Lessons

Universal coverage. No exceptions.

The JP Morgan breach teaches that security controls must be applied universally — every server, every access point, every account. A single exception creates the gap that attackers will find. Cyber Essentials certification enforces this universality by requiring MFA, patching, and access controls across the entire in-scope estate. Our penetration testing validates that controls are uniformly applied. Vulnerability scanning identifies the servers that have been missed. SOC in a Box for Financial Services monitors for the credential compromise and lateral movement that defined the JP Morgan attack. And UK Cyber Defence provides incident response when a breach is detected.

Universal Security Coverage

JP Morgan had $250 million and 1,000 security staff. One server without MFA cost them 76 million records.

Our <a href="/penetration-testing">penetration testing</a> finds the gaps. <a href="/vulnerability-scanning">Vulnerability scanning</a> identifies the servers you missed. <a href="/cyber-essentials">Cyber Essentials</a> mandates universal MFA. Because 99% coverage leaves exactly the gap that attackers exploit.

Commission a Penetration Test Next: iCloud Photo Leak
Next Step

Not sure where to start?

We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.

Free Scoping Call
Keep Reading

Related Articles

Anatomy of a Breach 31 July 2018

Anatomy of a Breach: SingHealth — 1.5 Million Patients Including a Prime Minister Targeted by Nation-State Attackers

Breach #115. In July 2018, Singapore disclosed that its largest healthcare group — SingHealth — had been breached by a sophisticated threat actor, compromising the personal data of 1.5 million patients and the outpatient prescription data of 160,000 patients — including Prime Minister Lee Hsien Loong, who appeared to have been specifically targeted. The attack, attributed to a nation-state actor, exploited vulnerabilities in SingHealth's IT infrastructure over a period of months. The breach confirmed that healthcare systems worldwide are APT targets — not just for data theft but for intelligence on political leaders.

data-breach singhealth
12 min read
Anatomy of a Breach 30 November 2016

Anatomy of a Breach: Tesco Bank — £2.5 Million Stolen from 9,000 Customer Accounts in a Weekend Attack

Breach #095. On the weekend of 5-6 November 2016, attackers exploited vulnerabilities in Tesco Bank's debit card systems to steal approximately £2.5 million from around 9,000 customer accounts — the first mass fraud event to affect a UK bank's current accounts. The attack caused Tesco Bank to temporarily halt all online transactions for its 136,000 current account holders. The FCA subsequently fined Tesco Bank £16.4 million for failing to exercise due skill, care and diligence in protecting its customers. The breach demonstrated that UK retail banking was not immune to the kind of systematic financial fraud previously associated with payment processors.

data-breach tesco-bank
13 min read
Anatomy of a Breach 31 May 2015

Anatomy of a Breach: US Office of Personnel Management — 21.5 Million Security Clearances Stolen by China

Breach #077. In June 2015, the US Office of Personnel Management disclosed two related breaches that compromised the records of 21.5 million current and former federal employees and contractors — including 5.6 million fingerprint records and detailed security clearance investigation files (SF-86 forms) containing information about finances, foreign contacts, mental health, drug use, and personal relationships. Attributed to Chinese state-sponsored hackers, the OPM breach was described as the most damaging theft of intelligence data in US history — a treasure trove for foreign intelligence services.

data-breach opm
14 min read
All Posts Get in Touch