JP Morgan Chase & Co.
JPMorgan Chase Hacking Affects 76 Million Households
By JESSICA SILVER-GREENBERG,
MATTHEW GOLDSTEIN and NICOLE PERLROTH
OCTOBER 2, 2014
The details of the breach — disclosed in a securities filing on Thursday emerge at a time when consumer confidence in the digital operations of corporate America has already been shaken. Target, Home Depot and a number of other retailers have sustained major data breaches. Last year, the information of 40 million cardholders and 70 million others were compromised at Target, while an attack at Home Depot in September affected 56 million cards.
But unlike retailers, JPMorgan, as the largest bank in the nation, has financial information in its computer systems that goes beyond customersʼ credit card details and potentially includes more sensitive data.
“Weʼve migrated so much of our economy to computer networks because they are faster and more efficient, but there are side effects,” said Dan Kaminsky, a researcher who works as chief scientist at White Ops, a security company.
Until just a few weeks ago, executives at JPMorgan said they believed that only one million accounts were affected, according to several people with knowledge of the attacks.
As the severity of the intrusion — which began in June but was not discovered until July — became more clear in recent days, bank executives scrambled for the second time in three months to contain the fallout and to reassure skittish customers that no money had been taken and that their financial information remained secure.
The hackers appeared to have obtained a list of the applications and programs that run on JPMorganʼs computers — a road map of sorts — which they could crosscheck with known vulnerabilities in each program and web application, in search of an entry point back into the bankʼs systems, according to several people with knowledge of the results of the bankʼs forensics investigation, all of whom spoke on the condition of anonymity.
Operating overseas, the hackers gained access to the names, addresses, phone numbers and emails of JPMorgan account holders. In its regulatory filing on Thursday, JPMorgan said that there was no evidence that account information, including passwords or Social Security numbers, had been taken. The bank also noted that there was no evidence of fraud involving the use of customer information. Still, until the JPMorgan breach surfaced in July, banks were viewed as relatively safe from online assaults because of their investment in defenses and trained
security staff. Most previous breaches at banks have involved stealing personal identification numbers for A.T.M. accounts, not burrowing deep into the internal workings of a bankʼs computer systems. Even if no customer financial information was taken, the apparent breadth and depth of the JPMorgan attack shows how vulnerable Wall Street institutions are to cybercrime. In 2011, hackers broke into the systems of the Nasdaq stock market, but did not penetrate the part of the system that handles trades.
Jamie Dimon, chief executive of JPMorgan Chase, says that the digital threat is on the rise.Credit Richard Drew/Associated Press Jamie Dimon, JPMorganʼs chairman and chief executive, has acknowledged the growing digital threat. In his annual letter to shareholders, Mr. Dimon said, “Weʼre making good progress on these and other efforts, but cyberattacks are growing every day in strength and velocity across the globe.”
Even though the bank has fortified its defenses against the attacks, Mr. Dimon wrote, the battle is “continual and likely never-ending.” On Thursday, some lawmakers weighed in. Edward J. Markey, Democrat of Massachusetts and a member of the Senate Commerce Committee, said “the data breach at JPMorgan Chase is yet another example of how Americansʼ most sensitive personal information is in danger.” Hackers drilled deep into the bankʼs vast computer systems, reaching more than 90 servers, the people with knowledge of the investigation said. As they analyze the contours of the breach, investigators in law enforcement remain puzzled, partly because there is no evidence that the attackers looted any money from customer accounts.
That lack of any apparent profit motive has generated speculation among the law enforcement officials and security experts that the hackers, which some thought to be from Russia and may have been sponsored by elements of the Russian government, the people with knowledge of the investigation said.
By the time the bankʼs security team discovered the breach in late July, hackers had already obtained the highest level of administrative privilege to dozens of the bankʼs computer servers, according to the people with knowledge of the investigation. It is still unclear how hackers managed to gain such deep access.
The people with knowledge of the investigation said it would take months for the bank to swap out its programs and applications and renegotiate licensing deals with its technology suppliers, possibly giving the hackers time to mine the bankʼs systems for unpatched, or undiscovered, vulnerabilities that would allow them re-entry into JPMorganʼs systems.