Jpmorgan hack feared to be warning shot
The cyberattack on JPMorgan Chase & Co. that touched more than 83 million households and businesses was one of the most serious computer intrusions into a U.S. corporation. But it could have been much worse, analysts say.
Questions on who the hackers are and the approach of their attack concern government and industry officials. Also troubling is that about nine other financial institutions were also infiltrated by the same group of overseas hackers, according to people briefed on the matter. The hackers are thought to be operating from Russia and appear to have at least loose connections with officials of the Russian government, the people briefed on the matter said.
It is unclear whether the other intrusions, at banks and brokerage firms, were as deep as the one that JPMorgan disclosed Thursday. The identities of the other institutions could not be immediately learned.
The breadth of the attacks — and the lack of clarity about whether it was an effort to steal from accounts or to demonstrate that the hackers could penetrate even the best-protected U.S. financial institutions — has left Washington intelligence officials and policymakers far more concerned than they have let on publicly. Some U.S. officials speculate that the breach was intended to send a message to Wall Street and the United States about the vulnerability of the digital network of one of the world’s most important banking institutions.
“It could be in retaliation for the sanctions” placed on Russia, one senior official briefed on the intelligence said. “But it could be mixed motives — to steal if they can or to sell whatever information they could glean.”
The JPMorgan hackers burrowed into the digital network of the bank and went down a path that gave them access to information about the names, addresses, phone numbers and email addresses of account holders. They never made it into where the more critical financial information and personal information are stored.
The bank’s security team, which discovered the attack in late July, managed to block the hackers before they could compromise the most sensitive information about tens of millions of JPMorgan customers, said several security experts and others briefed on the matter. The attack was not completely halted until the middle of August, and it was only in recent days that the bank began to tally its full extent.
U.S. officials say they have been working with JPMorgan since the intrusion was detected, chiefly through the Treasury, the Secret Service and intelligence agencies that seek to find the source of the attacks. But that is slow work, and one official cautioned against leaping to conclusions about the identities or the motives of the attackers.
“We’ve been wrong before,” he said.
JPMorgan, the nation’s largest bank, has begun contacting customers and making clear that no money was taken from any accounts. There has been no evidence of any fraudulent use of customer information. Most of the household accounts belong to U.S. residents. The hackers ended up with the addresses, email addresses and phone numbers of everyone who logged into JPMorgan’s websites and mobile applications in the recent past.
Still, the recent attacks on the financial firms raise the possibility that the banks may not be up to the job of defending themselves. The attacks also will stoke questions about rules governing when companies must inform regulators and their customers about a breach.
“It was a huge surprise that they were able to compromise a huge bank like JPMorgan,” said Al Pascual, a security analyst with Javelin Strategy and Research. “It scared the pants off many people.”
Several financial regulators have warned that a coordinated attack on the banking system could set off another financial crisis.
On Friday, George Jepsen, Connecticut’s attorney general, opened an investigation into the breach at JPMorgan, while Benjamin Lawsky, New York’s top financial regulator, began calling bank officials to warn them to take the threat more seriously.
“There needs to be far more urgency,” Lawsky said.
JPMorgan also has been working with law enforcement, including the FBI, since shortly after detecting the intrusion, which affected about 90 of the bank’s computer servers. The bank said it believed that its systems were now secure and that the threat of the hackers’ returning was over.
“To date, we have not seen any unusual fraud activity related to this incident,” said Kristin Lemkau, a bank spokesman.
“We have identified and closed the known access paths. We have no evidence that the attackers are still in our system. We have apologized to our customers.”