A couple of other customer service reps (from which internal departments, I do not know as I was shuffled,) were completely flummoxed by the words “possible data breach,” “potential security incident,” and similar terminology that should have made the Red Flags wave wildly. Only one person had any clue of what to do or whom to call. She asked me to immediately contact the Law Enforcement Office at Chase. I did. They were closed, too.

One fine lady, “Madge”, reacted, though. She knew what a data breach was, but added, “We are not trained for data breaches.” I asked if she knew how much financial institutions wanted them reported and stopped ASAP. She said, “Yes, but we have nothing… there is nothing I can do…”

I learned quickly how Facebook and LinkedIn can be your friends.  Several frustrated hours later, I sent out a Call to Arms to my social media friends for help.

Within a few minutes, I heard from a couple of business acquaintances who “Got It!” instantly and began kicking the underbelly of the bank for a reaction. I directly called three specific people I was told were within the internal Chase CIRT (Computer Incident Response Team), but never got a response from any of them. (Weeks later, they still have not responded.) I also emailed the CIRT and have never heard back. One of my Chase buddies who saw my Facebook post did get a guy from the Hong Kong CIRT to call me hours later, but I elected to allow my buddy to take lead – so I could get some sleep. Eleven days afterward, I received a call from the mortgage division who asked what happened and if they could help.

Finally, the forensics and investigations began.

Again, I am not criticizing Chase’s security in any way at all. This is only about their incident reporting and apparent lack of escalation processes.

What are the value-added takeaways from this experience? There are both questions and answers.

  • Why can’t a customer report a potential security breach in less than a dozen phone calls over a period of hours?
  • Why did I l need to reach out to my network of security contacts in a public forum to get a response
  • What do they hope their non-security-aware customers are to do when they believe a security incident has occurred? I am a persistent SOB about security, and when I see something wrong, I do not let go until action is taken.
    • What about the millions of other customers, from small and large financial institution everywhere, who try to report something seemingly amiss? Should they be expected to do what I did?
    • Or, should financial institutions provide an easy-to-find method for customers to reach a live human being and discuss their security/privacy concern or report suspicious activity? Or, should customers just forget it after encountering the same roadblocks I did?
  • Isn’t one of the first things we want users to know is how to react to and report a potential security incident? Or, does that only apply to inside the company and not for its external customers? Changes are needed?
  • Finally, for an Epic Fail like this to occur, it is evident to me, IMHO of course, that Chase’s processes are broken, and likely have not been exercised or tested in quite some time. I could be wrong, but when it quacks like a duck…

 

Check back tomorrow for Part III and the lessons the entire industry can gleam from this experience.

Winn Schwartau

President & Founder at SAC
Winn Schwartau is one of the world's top recognized experts on security, privacy, infowar, cyber-terrorism, and related topics. Winn is gifted at making highly technical security subjects understandable and entertaining & has authored more than 12 security books.