Obama Got Early Warning on JPMorgan Breach
Updated, 9:57 p.m. | President Obama and his top national security advisers began receiving periodic briefings on the huge cyberattack at JPMorgan Chase and other financial institutions this summer, part of a new effort to keep security officials as updated on major cyberattacks as they are on Russian incursions into Ukraine or attacks by the Islamic State.
But in the JPMorgan case, according to administration officials familiar with the briefings, who would not speak on the record about intelligence matters, no one could tell the president what he most wanted to know: What was the motive of the attack? “The question kept coming back, ‘Is this plain old theft, or is Putin retaliating?’ ” one senior official said, referring to the American-led sanctions on Russia. “And the answer was: ‘We don’t know for sure.’ ”
More than three months after the first attacks were discovered, the source is still unclear and there is no evidence any money was taken from any institution.
But questions are being asked across Wall Street as other targets emerge. The F.B.I., after being contacted by JPMorgan, took the I.P. addresses the hackers were believed to have used to breach JPMorgan’s system to other financial institutions, including Deutsche Bank and Bank of America, these people said. The purpose: to see whether the same intruders had tried to hack into their systems as well. The banks are also sharing information among themselves.
In all, the authorities believe that the hackers may have tried to infiltrate about a dozen financial institutions, said one of the people briefed on the matter. Fidelity Investments and E*Trade are among those institutions that law enforcement officials believe were victimized in some way by the attacks, the person said.
While Deutsche Bank and Bank of America scanned their systems, the people said, they did not find any evidence that the hackers had tried to get in.
Adam Banker, a Fidelity spokesman, said, “We have no indication that any Fidelity customer sites, accounts, information, services or systems were affected by this matter.” E*Trade had no comment.
Separately, at least five other banks — ADP, Bank of the West,Citigroup, HSBC and Regions Financial — found that one of the same web addresses used to penetrate JPMorgan had tried to get into their systems, people briefed on the matter said. But those companies may not necessarily be the focus of law enforcement.
Citigroup and the Bank of the West declined to comment. Robert Sherman, an HSBC spokesman, said the bank “takes its security and the security of its customer information very seriously,” adding, “We continue to monitor the situation closely, and are in touch with law enforcement and financial industry groups that collect and communicate cybersecurity information.”
Jim Duffy, an ADP spokesman, said the payroll processing firm had “observed Internet-based traffic from those criminals allegedly reported” to have hacked into JPMorgan. But he added that ADP had not “observed any issues associated with such scanning of our defenses.” Regions said in a statement that it “consistently monitors for any unusual activity. At this point, we have no evidence of any breach.”
The other companies’ names could not be learned Wednesday.
JPMorgan has said that the attackers obtained names and some email addresses but did not penetrate enough to get account information, and that there was no evidence of any illicit movement of money across the 76 million affected households.
The F.B.I. has begun a criminal inquiry into the attacks, and the Secret Service has been involved as well. But the scale and breadth of the attacks — and the lack of clarity about the hackers’ identity or motive — show not only the vulnerability of the most heavily fortified American financial institutions but also the difficulty, despite billions of dollars spent in detection technology, in finding the sources of attack.
And because it is so difficult to trace an attack to its source, it is next to impossible to deter one, security industry experts said.
“People don’t pay a price for attacks,” the director of the National Security Agency, Adm. Michael S. Rogers, said in an interview this year. “It’s one of our biggest challenges.”
Other questions are being asked about what the obligation of financial institutions to report such attacks should be. A number of state attorneys general, led by Lisa Madigan of Illinois and George Jepsen of Connecticut, have opened investigations into the JPMorgan breach, according to the people briefed on the matter. The inquiries are looking at whether the bank, the nation’s largest, alerted customers in a timely matter. A prolonged delay between when the bank learned that vast stores of information were pilfered and when it alerted customers could put consumers at risk, the people said.
Under federal and state law, JPMorgan did not have to alert customers about the breach because it had determined that only contact data was breached.
Prosecutors in Ms. Madigan’s office were discussing whether to seek an update to a 2006 Illinois law that requires companies to alert consumers in a timely fashion if their financial information — including Social Security and account numbers — are taken. The debate now, the people said, is whether the law should also include notification requirements when hackers take nonfinancial information like email addresses.
“We communicated to customers repeatedly that we had been breached and hadn’t seen unusual fraud levels related to this — first in August, again in mid-September, and most recently last week,” said Patricia Wexler, a JPMorgan spokeswoman. “We were careful to get far enough along in our internal investigation to have the most complete information, and wanted to be sure we could confidently say no financial information had been compromised.”
On Tuesday, the offices of Ms. Madigan and Mr. Jepsen held a call with officials at JPMorgan to discuss the attack, the people said. Since the breach at Target last year, prosecutors from both states have been holding monthly calls — part of a broader privacy task force.
The data breach at JPMorgan Chase was among “the most troubling breaches ever,” Ms. Madigan said, adding that it proved “there is probably no database that cybercriminals cannot compromise.”
JPMorgan has repeatedly said that none of the information taken — names, phone numbers, addresses and emails — has led to any episodes of fraud. Furthermore, it said that no money was stolen from customer accounts.
But security consultants caution that email addresses may be enough information for hackers to engage in “phishing” expeditions to trick customers into providing them with additional personal information.
The breach is under investigation by Preet Bharara, the United States attorney in Manhattan, according to a person briefed on the matter.
But actually finding the perpetrators of the attack is a daunting task. Thomas G. A. Brown, a senior managing director with FTI Consulting, knows firsthand the difficulty of tracking overseas criminals and bringing them to justice.
Until recently, Mr. Brown was chief of the computer and intellectual property crime unit of the United States attorney’s office in Manhattan. Mr. Brown oversaw the indictment of Aleksandr Kalinin, a Russian national charged with hacking into some of the computer systems of the Nasdaq stock market in 2011. Mr. Kalinin remains at large.
Referring to the challenges of piecing together a portrait of the attackers, Mr. Brown said: “It’s not the equivalent of gunshots being fired, a body on the street, and witnesses who see a person with a gun running away.”
The search to determine exactly what the hackers took, and why, gained even more urgency last week, according to several people briefed on JPMorgan’s internal investigation. The breach, discovered this summer, was far more extensive than the bank originally realized.
This summer, some investigating it put the number of compromised accounts at around one million, according to two people briefed on the bank’s internal investigation. By last week, as the investigation continued, the people said, that number had multiplied exponentially. Bank executives relayed the new details — 76 million households compromised — to its board.
Other disclosures have been more subtle. In a regulatory filing in August, as the bank grappled with the breach, JPMorgan said its board and audit committee “are regularly apprised” of significant cybersecurity events. That language did not appear in an earlier filing from 2013 or in an earlier quarterly report.
The scale of the intrusion and the fact it went undetected for about three weeks has led some to question whether JPMorgan, which has offices around the world and more than 260,000 employees, is “too big to secure.”