Comment from Tod Beardsley, engineering manager, Rapid7
“Unfortunately we may still see piggyback attacks where cybercriminals launch social engineering attacks to cash in on the customer anxiety that follows the news cycle surrounding reports of any big-name breach. The usual advice applies: If you get an e-mail or a call from a JP Morgan rep, feel free to thank them for contacting you and hang up. Customers should always initiate that contact by looking at their credit card or statement for the contact number; you simply can’t trust that an incoming call or e-mail is legitimate and not a phishing attempt.”
Comment from Garry Sidaway, Global Director of Security Strategy, NTT Com Security
“The good news on this story is the fact that the time to detect the breach is significantly shorter than the average. But it does still indicate the huge challenges every business has against the increasingly complex threat landscape. My concern now is making sure that the lessons are learned and that information security and risk management are embedded into the business to protect personal data. Also as we have seen through the Global Threat Intelligence report, how they manage the incident is also critical”.
Comment from Barry Scott, CTO, Centrify
“It’s not always losing a username and password that’s directly the problem, although that’s very serious. Loss of data such as names, e-mail addresses, home addresses and phone numbers are all part of the jigsaw that make up a person’s digital presence, and can form a good basis for further targeted attacks on that individual and the other services they use. How many people will be getting phishing phone calls as a result of their phone number being lost in this breach, with the caller using other information to try and prove that they are genuine?”