JP Morgan Chase Breach Came Through A 3rd-Party Vendor?

The JP Morgan Chase breach compromised 76 million households and about 7 million small businesses as reported here.  Additional reporting here and here gives an interesting sequence of events: 

  • Hacker compromises "JP Morgan Corporate Challenge", a website for " charitable races" (these are races for runners, e.g. 5k) 
  • Username and passwords, as well as certificate for site's vendor, Simmco Data Systems, were compromised 
  • Four months later, JP Morgan's main network was compromised through "an employee with special privileges used both at work and at home" 

Unlike the "smoking gun" that directly linked third party vendor, Fazio Mechanical to the breach at Target, we can only speculate regarding the connection between Simmco Data Systems and JP Morgan Chase.  The possible links are:   

  • Employee used same or similar username / password to access Corporate Challenge and JP Morgan Chase assets 
  • Employee was sent targeted phishing email by the hackers of the Simmco site, made more effective using background info gathered though corporate challenge website 
  • Malicious content was hosted on or sent through Simmco that compromised employee's home machine 
  • No link.  It was purely coincidental that the same 11 IPs were used to compromise Simmco Data Systems also compromised JP Morgan Chase.    

While there is a small chance that there is no link, it is much more likely that once again, a third party vendor is used as a stepping stone to a larger target. In either case, this third party risk could have been avoided.