Data Theft from 76 Million Homes Enabled by JPMorgan Password

October 3, 2014 by Hugh Son and Michael Riley

Hackers exploited an employee password to crack a JPMorgan Chase & Co. server and ultimately pull off one of the largest cyber-attacks ever, accessing data on 76 million households and 7 million small businesses.

JPMorgan, the largest U.S. bank, outlined the scope of the previously disclosed breach yesterday, reassuring clients there’s still no evidence account numbers and passwords were compromised, even as names and contact data were exposed. People who logged on to certain websites or mobile apps had contact information stolen, the New York-based company said.

The bank has been struggling to head off damage since the incident, first reported by Bloomberg News in August. New details on how attackers accomplished the feat over months, including their initial entry, were provided by two people briefed on the investigation, who requested anonymity because it’s private. JPMorgan said the threat now is phishing, in which criminals try to trick people into handing over more valuable data, such as user IDs and passwords.

“If they find the CEO of a company, they know this person’s worth a lot of money, they would try to attack that person,” said Jeff Tjiputra, program chairman for Cybersecurity at the University of Maryland University College. Still, “it’s not an easy hack or scam.”

Private Bank

Some of those affected by the incursion were outside the U.S., said Patricia Wexler, a JPMorgan spokeswoman. In addition to contact information, hackers tapped into internal data identifying customers by category, such as whether they are clients of the private-bank, mortgage, auto or credit-card divisions, according to Wexler.

“There’s no evidence that account information — things like accounts numbers, passwords, log-in IDs — were accessed, viewed or acquired,” Wexler said. For example, she said, the hackers wouldn’t know the balance of a customer’s mortgage, only that they were a client of that unit.

JPMorgan currently has 65 million customers and reaches half of all U.S. households, she said. Information on both current and former customers was exposed, as well as on some non-customers, including people who may have logged on to JPMorgan websites to conduct transactions with bank clients.

Data were compromised through Chase.com and JPMorganOnline.com, and the mobile apps that support those websites, Wexler said.

Legal Help

Customers aren’t liable for unauthorized transactions that are promptly reported to the bank, the company said. The lender disclosed the scope of the breach in a regulatory filing, retaining the law firm WilmerHale to help with it, a person briefed on the matter said.

JPMorgan shares rose 1.5 percent to $59.72 at 9:56 a.m. in New York and have gained about 2.2 percent this year, trailing the 6.1 percent advance for the 85-company Standard & Poor’s 500 Financials Index.

The 76 million households affected compare with the U.S. total of about 115 million as of 2012. Earlier this year, 145 million personal records were taken in a breach of EBay Inc. An attack on retailer Target Corp. during last year’s holiday season affected as many as 110 million shoppers. An attack at Home Depot Inc. disclosed last month compromised 56 million payment cards.

“The data breach at JPMorgan Chase is yet another example of how Americans’ most sensitive personal information is in danger,” said U.S. Senator Edward Markey, a Massachusetts Democrat and member of the chamber’s commerce committee, who called for legislation to protect against cyber attacks.

FBI Probe

The incursion at JPMorgan, which is being probed by the Federal Bureau of Investigation and other agencies, started in June, according to the people familiar with the bank’s review. The hackers entered a web-development server with an employee’s user name and password, then wormed their way into the lender’s network, the people said.

The server was a soft spot in the bank’s armor that lacked safeguards normal in other parts of the network such as a uniquely generated code a user must enter along with a password, a system known as two-factor authentication, the people said. From that server, the intruders found more vulnerabilities in JPMorgan’s custom software unknown to the firm’s security team that gave them access to the main data banks, one of the people said.

Changing Passwords

JPMorgan Chief Operating Officer Matt Zames urged employees to be vigilant.

“Make sure you have fortified your own defenses,” he told them yesterday in a memo obtained by Bloomberg News. “Log off your workstation when you leave your desk. Change your passwords often, choose passwords that are very hard for others to guess, and never, ever share passwords.”

The hackers accessed more than 100 servers that housed data across the spectrum of the company’s business lines, including investment banking, credit cards, and commercial and residential banking, the people said.

Using sophisticated tools and malicious programs, the intruders siphoned gigabytes of data until the breach was discovered in August, people familiar with the inquiry have said. Investigators believe the attack originated in Russia, the people said.

Government officials and security specialists have long warned of the possibility of cyber disruptions in the financial system and other services and utilities. Those concerns are heightened in times of conflict.

Russia’s annexation of the Crimean peninsula touched off a wave of sanctions in March that have hurt trade and threaten to send President Vladimir Putin’s economy into recession. Tensions mounted as the conflict expanded beyond Crimea and as the U.S. and Europe deepened their protests of Russia’s actions.

Dmitry Peskov, a spokesman for Putin, previously dismissed the notion that Russia was behind the JPMorgan attack as “nonsense.”

–With assistance from Jordan Robertson in Washington and Katia Dmitrieva in Toronto.