Computer hackers targeted JPMorgan Chase & Co. (JPM) and at least four other banks in a coordinated attack on major financial institutions this month, according to a U.S. official.
The attack led to the theft of customer data that could be used to drain accounts, according to another person briefed by U.S. law enforcement. The two people, who asked not to be identified because the investigation is continuing, discussed the incident after Bloomberg News reported a breach on banks earlier today.
Hackers targeted customer and employee information, said a third person involved in the investigation, who was also briefed by the government. The theft involved gigabytes of data, said several people familiar with the attacks. The scale indicates a potential for significant financial fraud.
Most thefts of financial information involve retailers or personal computers of consumers. Stealing data from big banks is rare, because they have elaborate firewalls and security systems.
The Bloomberg report said the FBI is investigating whether Russian hackers attacked JPMorgan and at least one other bank in retaliation for sanctions on the country over its involvement in the Ukraine military conflict. New York-based JPMorgan declined to comment on whether it was a victim of hacking, while saying the bank has multiple layers of defense to fend off data thefts.
“Companies of our size unfortunately experience cyber attacks nearly every day,” Patricia Wexler, a JPMorgan spokeswoman, said in an e-mail.
JPMorgan hasn’t detected any unusual activity or fraud thus far, said a person with knowledge of the matter.
Authorities are looking for signs the stolen data has been used to move money from accounts. No such activity had been spotted as of this afternoon, the U.S. government official said. The absence of fraud provides some support that the hack could have been politically motivated.
In the latest attack on the U.S. financial system, the use of a software flaw known as a “zero-day” in one bank’s website and the way the criminals navigated through elaborate layers of security indicates a degree of skill beyond an ordinary hacker, said two of the people familiar with the attacks. Zero-day refers to the fact that developers don’t know the vulnerability exists, making it easy for hackers to take remote command of a computer.
JPMorgan Chase spends about $200 million each year to protect itself from cyber attacks, Chief Executive Officer Jamie Dimon wrote in a April 2013 letter to shareholders.
“This number will grow dramatically over the next three years,” Dimon said. “More than 600 employees across the firm are dedicated to the task. And this number likely will grow as well.”
Full article: JPMorgan, Four Other Banks Hit by Hackers: U.S. Official (Bloomberg)