Hackers who attacked JPMorgan accessed data of 76 million households
JPMorgan says phishing is the main threat, as attackers got access to names and contact details
PUBLISHED : Friday, 03 October, 2014, 8:35pm
UPDATED : Friday, 03 October, 2014, 8:35pm
Bloomberg in Washington and Toronto
JPMorgan has 65 million customers and some of those affected by the incursion were outside the US. Photo: AP
Hackers exploited an employee password to crack a JPMorgan Chase server and pull off one of the largest cyber-attacks ever, accessing data on 76 million households and 7 million businesses.
JPMorgan, the largest US bank, outlined the scope of the breach on Thursday. It reassured clients there was no evidence account numbers and passwords were compromised, even though names and contact data were exposed. People who logged on to certain websites or mobile apps had contact information stolen, the company said.
The bank has been struggling to head off damage since the incident was first reported in August. New details of how attackers accomplished the feat over months, including their initial entry, were provided by two people briefed on the investigation. JPMorgan said the threat now was phishing, in which criminals try to trick people into handing over more valuable data, such as user IDs and passwords.
"If they find the CEO of a company, they know this person's worth a lot; they would try to attack that person," said Jeff Tjiputra, cybersecurity programme chairman at the University of Maryland University College.
In addition to contact information, hackers tapped data identifying whether customers were clients of the private bank, mortgage, auto or credit card divisions, said Patricia Wexler, a JPMorgan spokeswoman.
"There's no evidence that account information - things like account numbers, passwords, log-in IDs - were accessed, viewed or acquired," Wexler said. For example, she said, the hackers wouldn't know the balance of a customer's mortgage, only that they were a client of that unit.
JPMorgan has 65 million customers and some of those affected by the incursion were outside the US, she said. Information on both current and former customers was exposed, as well as on non-customers, including people who may have logged on to JPMorgan websites to conduct transactions with bank clients.
Data was compromised through Chase.com and JPMorganOnline.com and the mobile apps that support those websites, Wexler said.
JPMorgan said customers were not liable for unauthorised transactions that were promptly reported. The company disclosed the scope of the breach in a regulatory filing.
The 76 million households affected compare with the US total of about 115 million as of 2012.
Earlier this year, 145 million personal records were taken in a breach of EBay systems. An attack on retailer Target affected as many as 110 million shoppers. An attack at Home Depot disclosed last month compromised 56 million payment cards.
"The data breach at JPMorgan Chase is yet another example of how Americans' most sensitive personal information is in danger," said US Senator Edward Markey, a Massachusetts Democrat and member of the House of Representatives' commerce committee, who called for legislation to protect against cyberattack.
The incursion at JPMorgan, which is being probed by the FBI, started in June. The hackers entered a web-development server with an employee's user name and password, then wormed their way into the network.
The hackers accessed more than 100 servers that housed data across the spectrum of the company's business, including investment banking, credit cards, and residential banking.
Using sophisticated tools and malicious programs, the intruders siphoned gigabytes of data until the breach was discovered in August. Investigators believe the attack originated in Russia.
Dmitry Peskov, a spokesman for Russian President Vladimir Putin, dismissed the notion that Russia was behind the attack.
