Updated, 5:02 p.m. |
A cyberattack this summer on JPMorgan Chase compromised more than 76 million household accounts and seven million small-business accounts, making it among the largest corporate hacks ever discovered.
The latest revelations, which were disclosed in a regulatory filing on Thursday, vastly dwarf earlier estimates that hackers had gained access to roughly one million customer accounts.
The new details about the extent of the cyberattack — which began in June but was not discovered until July — sent JPMorgan scrambling for the second time in just three months to contain the fallout.
As the severity of the attack became more clear in recent days and new information was unearthed, some top executives flew back to New York from Naples, Fla., where many had convened for a leadership conference, according to several people briefed on the matter.
Hackers were able to burrow deep into JPMorgan’s computer systems, accessing the accounts of more than 90 servers — a breach that underscores just how vulnerable the global financial system is to cybercrime. Until now, most of the largest cyberattacks on corporations have been confined to retailers like Target and Home Depot.
And unlike those retailers, JPMorgan has far more sensitive financial information about customers. Investigators in law enforcement remain puzzled by the attack on the bank because there was no evidence that the attackers looted any customer money from accounts.
The lack of any apparent profit motive has generated speculation among law enforcement officials and security experts that the hackers were sponsored by foreign governments either in Russia or in southern Europe.
It is still not clear how hackers managed to gain deep access to the bank’s computer network. By the time the bank’s security team discovered the breach in late July, hackers had already gained the highest level of administrative privilege to more than 90 of the bank’s computer servers, according to several people briefed on the results of the bank’s forensics investigation who were not allowed to discuss it publicly.
More disturbing still, these people say, hackers made off with a list of the applications and programs that run on every standard JPMorgan computer– a hacker’s road map of sorts — which hackers could cross check with known vulnerabilities in each program and web application, in search of an entry point back into the bank’s systems.
These people said it would take months for the bank to swap out its programs and applications and renegotiate licensing deals with its technology suppliers, leaving hackers plenty of time to mine the bank’s systems for unpatched, or undiscovered, vulnerabilities that would allow them reentry into JPMorgan’s systems.
In the filing, JPMorgan said there was no evidence that account information, including passwords or Social Security numbers, were taken.
The original discovery of the cyberattack sent ripples through the financial system and prompted an investigation by the Federal Bureau of Investigation, even as Wall Street, which has been a frequent target for hackers in recent years, worked to guard against the threats.
The bank was also forced to update its regulators, including the Federal Reserve, on the extent of the breach. The bank said at the time that there was no indication that any customer money was taken and that it believed it had secured all its systems.
No comments:
Post a Comment