Starting in June 2014, hackers breached JPMorgan Chase’s system and gained access to 76MM personal accounts and approximately 7MM small business bank accounts. JPMorgan Chase did not realize that the breach occurred until the following month. The issue and entry-point for the hack, according to later investigations, was a single server that did not contain a two-factor authentication. After determining the issue, JPMorgan Chase installed a security fix.
JPMorgan Chase took swift action to involve Federal authorities, who ultimately indicted four individuals they allege hacked into numerous financial institutions including JPMorgan Chase. The indictments on the alleged hackers range from unauthorized access of computers, identity theft, securities fraud, wire fraud to money laundering. It is alleged the four men’s hack of JPMorgan Chase netted them more than 100 million dollars.
Federal authorities say that the hackers were able to access not only JPMorgan Chase’s network systems, but that of six other banks, stockbrokers, Scottrade, ETrade, and financial news sites such as Dow Jones, the parent company for the Wall Street Journal. John Horn, the U.S. Attorney of Atlanta said, “The massive scale of these data breaches is staggering.”
JPMorgan Chase always maintained that the hackers were only ever able to obtain the names, addresses and email addresses of the more than 83 million accounts they gained access to, always asserting that no credit or debit card information, passwords or Social Security numbers were ever obtained by the hack into its systems.
But simply because credit card information was not obtained it does not make the information that was obtained any less dangerous. Cyber thieves most often used this type of information to create highly successful phishing schemes for the purpose of identity theft and, based on the charges brought against these four men, it appears as if that is exactly what occurred.
In the early months of the cyber attack investigation a statement made by Trish Wexler, JPMorgan Chase spokesperson said:
Companies of our size unfortunately experience cyber-attacks nearly every day. We have multiple layers of defense to counteract any threats and constantly monitor fraud levels. The criminals were only successful in accessing a select set of information, the overwhelming majority of doors and windows they tried to open remained securely locked.
Another JPMC statement to its consumers said:
Your money at JPMorgan Chase is safe. Unlike recent attacks on retailers, we have seen no unusual fraud activity related to this incident. We don’t believe that you need to change your password or account information.
An investigation was launched by JPMorgan Chase’s internal security team, FBI investigators, the NSA, and numerous digital forensic investigation firms such as CrowdStrike and FireEye were brought in to determine the extent of the breach and its origins because it was suspected the breach may have had broader implications.
The CEO, Jamie Dimon said that by the end of 2014, JPMorgan Chase would employ 1,000 cyber security-related personnel and increasing their cybersecurity budget to $250 million. Ultimately, that figure actually doubled. Banks and institutions are learning that making the proper investments in cyber security costs them much less in the end than law suits and customer retention loss does.
Despite early news coverage that U.S. law enforcement agencies were investigating the possibility that the attack was Russian state sponsored, reportedly in retaliation for the sanctions that were imposed against Russia for its actions in the Ukraine, most security experts in the field were doubtful right from the start. As it turns out their doubts were well founded. It was motivated by the common everyday greed of four cyber criminals looking to score millions of dollars by stealing your personal information and misusing it for their own personal gain.
Additional Resources About This Breach: