By JESSICA SILVER-GREENBERG, MATTHEW GOLDSTEIN and NICOLE PERLROTH
A cyberattack this summer on JPMorgan Chase compromised the accounts of 76 million households and seven million small businesses, a tally that dwarfs previous estimates by the bank and puts the intrusion among the largest ever.
The details of the breach — disclosed in a securities filing on Thursday — emerge at a time when consumer confidence in the digital operations of corporate America has already been shaken. Target, Home Depot and a number of other retailers have sustained major data breaches. Last year, the information of 40 million cardholders and 70 million others were compromised at Target, while an attack at Home Depot in September affected 56 million cards.
But unlike retailers, JPMorgan, as the largest bank in the nation, has financial information in its computer systems that goes beyond customers’ credit card details and potentially includes more sensitive data.
“We’ve migrated so much of our economy to computer networks because they are faster and more efficient, but there are side effects,” said Dan Kaminsky, a researcher who works as chief scientist at White Ops, a security company.
Until just a few weeks ago, executives at JPMorgan said they believed that only one million accounts were affected, according to several people with knowledge of the attacks.
As the severity of the intrusion — which began in June but was not discovered until July — became more clear in recent days, bank executives scrambled for the second time in three months to contain the fallout and to reassure skittish customers that no money had been taken and that their financial information remained secure.
The hackers appeared to have obtained a list of the applications and programs that run on JPMorgan’s computers — a road map of sorts — which they could crosscheck with known vulnerabilities in each program and web application, in search of an entry point back into the bank’s systems, according to several people with knowledge of the results of the bank’s forensics investigation, all of whom spoke on the condition of anonymity.
Operating overseas, the hackers gained access to the names, addresses, phone numbers and emails of JPMorgan account holders. In its regulatory filing on Thursday, JPMorgan said that there was no evidence that account information, including passwords or Social Security numbers, had been taken. The bank also noted that there was no evidence of fraud involving the use of customer information.
Still, until the JPMorgan breach surfaced in July, banks were viewed as relatively safe from online assaults because of their investment in defenses and trained security staff. Most previous breaches at banks have involved stealing personal identification numbers for A.T.M. accounts, not burrowing deep into the internal workings of a bank’s computer systems.
Even if no customer financial information was taken, the apparent breadth and depth of the JPMorgan attack shows how vulnerable Wall Street institutions are to cybercrime. In 2011, hackers broke into the systems of the Nasdaq stock market, but did not penetrate the part of the system that handles trades.
Jamie Dimon, JPMorgan’s chairman and chief executive, has acknowledged the growing digital threat. In his annual letter to shareholders, Mr. Dimon said, “We’re making good progress on these and other efforts, but cyberattacks are growing every day in strength and velocity across the globe.”
Even though the bank has fortified its defenses against the attacks, Mr. Dimon wrote, the battle is “continual and likely never-ending.”
On Thursday, some lawmakers weighed in. Edward J. Markey, Democrat of Massachusetts and a member of the Senate Commerce Committee, said “the data breach at JPMorgan Chase is yet another example of how Americans’ most sensitive personal information is in danger.”
Hackers drilled deep into the bank’s vast computer systems, reaching more than 90 servers, the people with knowledge of the investigation said. As they analyze the contours of the breach, investigators in law enforcement remain puzzled, partly because there is no evidence that the attackers looted any money from customer accounts.
That lack of any apparent profit motive has generated speculation among the law enforcement officials and security experts that the hackers, which some thought to be from Russia and may have been sponsored by elements of the Russian government, the people with knowledge of the investigation said.
By the time the bank’s security team discovered the breach in late July, hackers had already obtained the highest level of administrative privilege to dozens of the bank’s computer servers, according to the people with knowledge of the investigation. It is still unclear how hackers managed to gain such deep access.
The people with knowledge of the investigation said it would take months for the bank to swap out its programs and applications and renegotiate licensing deals with its technology suppliers, possibly giving the hackers time to mine the bank’s systems for unpatched, or undiscovered, vulnerabilities that would allow them re-entry into JPMorgan’s systems.
Beyond its disclosures, JPMorgan did not comment on what its investigation had found. Kristin Lemkau, a JPMorgan spokeswoman, said that describing the bank’s breach as among the largest was “comparing apples and oranges.”
Preparing for the disclosure on Thursday, JPMorgan retained the law firm WilmerHale to help with its regulatory filing with the Securities and Exchange Commission, people with knowledge of the matter said. Earlier on Thursday, some executives — Barry Sommers, the chief executive of Chase’s consumer bank — flew back to New York from Naples, Fla., where they had convened for a leadership conference, these people said.
The initial discovery of the hack sent chills down Wall Street and prompted an investigation by the Federal Bureau of Investigation. The bank was also forced to update its regulators, including the Federal Reserve, on the extent of the breach.
Faced with the rising threat of online crime, JPMorgan has said it plans to spend $250 million on digital security annually, but had been losing many of its security staff to other banks over the last year, with others expected to leave soon.
Originally Published October 2nd, 2014
By JESSICA SILVER-GREENBERG, MATTHEW GOLDSTEIN and NICOLE PERLROTH
By Kelly Santos | November 18th, 2014 | Digital Privacy, Identity Theft
During the holiday shopping season, millions of Americans will take advantage of the convenience, speed and ease of online shopping: Spot it, love it, click it, and it’s on the way.
A recent survey found that 77 percent of respondents said they shop on the Internet, and the National Retail Federation predicts online sales during November and December to jump 8 to 11 percent from 2013, accounting for $105 billion.
Yet Americans have mixed feelings about the act of using credit or debit cards to buy something online: Many consumers—more than half (56 percent) of respondents—already have experienced information compromise in a retail breach, according to the survey by the Identity Theft Resource Center, sponsored by IDT911.
Plus, more than 59 percent of people are either “extremely concerned” (26.2 percent) or “moderately concerned” (32.9 percent) that shopping online will put them at risk of becoming a victim of identity theft, the survey said.
High-profile data breaches at major retailers recently also have put a damper on shoppers’ holiday cheer, whether it’s online or off-line. When we asked respondents how concerned they were about identity theft originating from a breach at retailers such as Target, Michaels, Nordstrom or Home Depot, 39.8 percent said they were “extremely concerned.”
With all this fretting, you’d think consumers would be on high alert, checking their credit card and banking statements more often and keeping personal data close to the chest. But 41.6 percent of respondents said they didn’t check such statements more often during the holidays compared with other times of the year. And while online shopping, many consumers have or are willing to share unnecessary pieces of personally identifiable information:
IDT911 has a few simple suggestions for online shoppers this holiday season:
Finally, if you suspect you’re a victim of identity theft or wish to proactively manage your identity, check with your insurance company, financial institution, or employee benefits provider. Many companies offer LifeStages™ Identity Management Services from IDT911 for low or no cost. To learn more, call 1-888-820-5959.
During the holidays consumers are more giving and willing to open their wallets to spend on presents and donate to charity – something identity thieves are counting on. Thieves often prey on victims during the holidays through a variety of schemes to take their information and their money. Since the Grinch isn't the only one out to steal Christmas, consumers should protect themselves from the rise in scams this holiday season.
Here are five common scams to avoid during the holidays:
1. Santa Letter Scam
Although writing letters to Santa is one of the most innocent ways to celebrate the spirit of the season, identity thieves may use this opportunity to steal your information. The Santa letter scam uses a website claiming to write children a letter from Santa, but aims to steal personal information, according to the Better Business Bureau.
2. Malware-Infected Shopping Sites
Similar to the scam above, fraudulent shopping sites that may show up on search results could try to steal your financial information through malware, AARP warns. Once you click on a link on a fake shopping site, you may accidentally download malware that will allow cybercriminals to spy on your log in details and more.
3. Gift Card Fraud
With the holiday season, shoppers are likely to purchase preloaded cards as a simple gift. However, scammers could attempt to scan and copy the information of unloaded gift cards on display, according to USA Today. Then they wait until consumers add money and activate the card before thieves steal the money using the information scanned from the card or transfer the data onto a new card. While in stores, ask the cashier to scan the card to ensure it is the right value.
4. Email Phishing Schemes
Scammers often try to take advantage of the holiday season by pursuing consumer information using email phishing. You may get unsolicited emails from senders masked as well-known brands offering deals that are likely too good to be true. Avoid email phishing scams by not clicking on emails from addresses you don't recognize.
5. Fake Charities
Known as the season for giving, the days surrounding Christmas mean more charities are out asking for money. However, if you get a call or email from a charity requesting a donation, make sure that these organizations are legitimate. You can check to see whether these charities are real by going to www.guidestar.org, which rates charities and nonprofits, or by visiting the BBB's site.