Banks are supposed to be among the most secure places on Earth, guarded against physical attacks and cyber-intrusions with extensive security measures.

But after JPMorgan Chase, the nation’s largest bank, said this week that more than 80 million customers were affected by a breach of its computer system, security experts warn that Wall Street remains vulnerable to cyberattacks and that other industries may be even worse off. The JPMorgan attack affected significantly more people than many experts initially thought, making it one of the largest breaches of a financial institution in recent history.

“As you’d expect, banks face a lot of scrutiny in terms of regulation — and they do spend a lot of money on security,” said Ben Johnson, an expert at cybersecurity firm Bit9+CarbonBlack.

“Credit cards and retailers are obviously one huge target right now,” he said, “but banks have all sorts of financial and personal information” that make them attractive to hackers.

JPMorgan said 76m households and 7m small businesses were affected by the cyberattack, which was first reported in August. There was no indication that hackers were able to take customers’ account information, including PINs or Social Security numbers, the company said in a filing with the Securities and Exchange Commission on Thursday. However, hackers did get their hands on customer names, addresses, phone numbers and email addresses — plus internal bank information “relating to such user,” according to the filing.

There have been a series of huge breaches over the past year, mostly attacks on major retailers in which malware was used to compromise payment systems. Last year, Target said data on up to 110m of its customers had been compromised in a cyberattack. Last month, Home Depot said a breach at its U.S. and Canadian stores over a six-month period may have put an estimated 56m payment cards at risk.

But banks typically hold more sensitive information about customers than retailers and can sometimes face technical challenges in keeping their information safe, security experts say.

“Many banks have been around a long time, and thus have older systems,” Johnson said. “There’s also a lot of mergers and acquisitions that can bring in different systems, which can be a huge challenge from an information security standpoint.”

Banks also must fend off not only cybercriminals trying to make money by selling consumers’ information but also more-advanced actors who want to disrupt financial industries or conduct economic espionage.

Hackers infiltrated JPMorgan in June and then made several additional attempts to collect more data before the bank discovered the breach, The Washington Post has reported.

And JPMorgan doesn’t appear to be the only one in trouble. As the news about its breach was breaking in late August, the FBI released a statement saying it was working with the Secret Service to determine the scope of cyberattacks reported against “several American financial institutions.”

In July, Bloomberg News reported that a financial industry group, the Securities Industry and Financial Markets Association, had called for a cyberwar council to fight such attacks and hired former National Security Agency director Keith Alexander to assist it with cybersecurity. In April, JPMorgan chief executive Jamie Dimon told shareholders that the company faced a “likely never-ending battle” to stay ahead of “increasingly complex and more dangerous” cyberattacks, Bloomberg News reported.

Even with the challenges and setbacks, Johnson said, the financial industry is one of the best prepared to weather cyberattacks — but its apparent recent failures are a bad sign for other industries.

“We are not winning the war as a society,” he said.

By arrangement with The Washington Post-Bloomberg News Service

Published in Dawn, October 5th, 2014