JPMorgan exec claims bank repels '45 billion' cyberattack attempts per day

Assets boss also reckons she has more engineers than Amazon

Updated The largest bank in the United States repels 45 billion cyberattack attempts per day, one of its leaders claimed at the World Economic Forum in Davos. 

Mary Callahan Erdoes, JPMorgan Chase's CEO in charge of asset and wealth management, revealed the figure during a discussion of the future of banking yesterday, adding that the number is twice what the institution faced a year prior. 

"We have 45 billion – billion – cracks into our system that don't make it through, not on an annual basis, on a daily basis," she told her audience. "There are people trying to hack into JPMorgan Chase 45 billion times a day. That number is what it is."

JPMC, the largest US bank by market cap, also claims to have 62,000 technologists working to protect corporate assets - a figure Erdoes claims tops the engineer count at Google or Amazon.

"Why? Because we have to," Erdoes said. 

OK, here's where we bring this back down to Earth: 45 billion is a lot. That's an average of 521,000 per second per day. But we all know that is going to be mostly port scans, automated checks for known vulnerable services, and similar chaff. It's not going to be 45 billion fully formed attacks per day; it's more of an indication of the amount of traffic being thrown at JPMC's network boundaries.

We imagine the bank's biggest worry isn't the volume of poking it's getting, it's that the wave after wave of connections may be masking more sophisticated and tangible attempts to break into its networks. It's a tactic crooks use: distract IT admins with loads of suspicious-looking traffic while sneaking in round the back via some quiet vulnerable service or a spear-phishing email.

A big challenge will be determining out of all the scans and prodding the actual legit intrusion attempts.

And don't forget to go tell the WEF about your dropped packet count at the firewall.

That all said, it's not a surprise that JPMorgan Chase, with its high profile in one of the sectors most targeted by cyber-crooks, faces so many probings and prodding: There's a lot of money to be siphoned from the financial giant, which reported $3.9 trillion in assets as of Q4 [PDF] last year. 

A report from the Bank of England further solidifies the perceived risk of cyberattacks in the banking world, with such incidents topping the list of what bank executives see as their top threats and greatest challenges. 

Even epic levels of investment in people and tech haven't been enough for institutions like JPMorgan, however.

JPMC was ordered to face a lawsuit in January 2023 filed by a subsidiary of eyewear megafirm EssilorLuxottica, who alleged the bank was negligent in ignoring signs of fraud. That negligence, the complaint states, allowed cyber crooks to make off with $272 million in funds from Essilor's manufacturing arm over the course of 243 fraudulent transactions. 

"Fraudsters [are getting] smarter, savvier, quicker, more devious and more mischievous," Erdoes said at Davos yesterday.

"They go into the law firm that's sending you an email, take over the email, and they send the bank a note saying 'please send the money here,'" she added, almost as if addressing the Essilor matter. "That is happening everywhere in the world on a daily basis … staying one step ahead of it is the job of each and every one of us." 

Beyond lapses of judgement that allow fraud to proliferate, JPMorgan Chase has also made internal technical mistakes that have cost it millions - an admittedly small number for a firm that had a net income of $9.3 billion in the fourth quarter of last year. The SEC in June fined the company $4 million for deleting millions of emails, meaning the bank was unable to hand over communications the SEC subpoenaed in a dozen regulatory investigations. 

Accidentally, of course. ®

Updated to add on Friday, January 19

Guess we were right to be cynical about it. A spinner for JPMorgan Chase has been in touch to clarify that Erdoes quoted a figure that seemingly included all connection attempts not just potentially malicious ones. So, that won't be 45 billion cyberattack attempts a day; it's 45 billion events at the network boundary.

"Ms Erdoes was referring to observed activity collected from our technology assets, malicious or not," a spokesperson for the bank told us today.

"This activity is then processed by our monitoring infrastructure. Examples of activity can include user logins like employee virtual desktops, and scanning activity, which are often highly automated and not targeted."

More about

TIP US OFF

Send us news


Other stories you might like