A cyber attack this summer on JPMorgan Chase compromised the accounts of 76 million households and seven million small businesses, a tally that dwarfs previous estimates by the bank and puts the intrusion among the largest ever.
The details of the breach — disclosed in a securities filing on Thursday — emerge at a time when consumer confidence in the digital operations of corporate America has already been shaken. Target, Home Depot and a number of other retailers have sustained major data breaches. Last year, the information of 40 million cardholders and 70 million others were compromised at Target, while an attack at Home Depot in September affected 56 million cards.
But unlike retailers, JPMorgan, as the largest bank in the nation, has financial information in its computer systems that goes beyond customers’ credit card details and potentially includes more sensitive data.
JP Morgan Chase building, New York
“We’ve migrated so much of our economy to computer networks because they are faster and more efficient, but there are side effects,” said Dan Kaminsky, a researcher who works as chief scientist at White Ops, a security company.
Until just a few weeks ago, executives at JPMorgan said they believed that only one million accounts were affected, according to several people with knowledge of the attacks.
As the severity of the intrusion — which began in June but was not discovered until July — became more clear in recent days, bank executives scrambled for the second time in three months to contain the fallout and to reassure skittish customers that no money had been taken and that their financial information remained secure.
The hackers appeared to have obtained a list of the applications and programs that run on JPMorgan’s computers — a road map of sorts — which they could crosscheck with known vulnerabilities in each program and web application, in search of an entry point back into the bank’s systems, according to several people with knowledge of the results of the bank’s forensics investigation, all of whom spoke on the condition of anonymity.
Operating overseas, the hackers gained access to the names, addresses, phone numbers and emails of JPMorgan account holders. In its regulatory filing on Thursday, JPMorgan said that there was no evidence that account information, including passwords or Social Security numbers, had been taken. The bank also noted that there was no evidence of fraud involving the use of customer information.
Jamie Dimon; Chairman and CEO of JP Morgan Chase
Still, until the JPMorgan breach surfaced in July, banks were viewed as relatively safe from online assaults because of their investment in defenses and trained security staff. Most previous breaches at banks have involved stealing personal identification numbers for A.T.M. accounts, not burrowing deep into the internal workings of a bank’s computer systems.
Even if no customer financial information was taken, the apparent breadth and depth of the JPMorgan attack shows how vulnerable Wall Street institutions are to cybercrime. In 2011, hackers broke into the systems of the Nasdaq stock market, but did not penetrate the part of the system that handles trades.