Cyberattacks and intrusions threaten U.S. private sector institutions on a daily basis. From low-level cyber fraud to sophisticated intrusions into sensitive systems, the Western private sector has been under direct assault for years from myriad cyber actors—from criminal fraudsters to sophisticated state actors. Over the years, these attacks have cost the private sector billions of dollars of intellectual property and years of research and development and cast doubt on the ability of companies to secure customers’ data and their systems. And now, the financial industry—namely major Western banks—finds itself at the center of this cyber storm.
On Thursday, October 2, 2014, JPMorgan Chase & Co., the largest American bank by assets, announced that a cyberattack it had detected in mid-August 2014 had compromised the accounts of 76 million households and seven million small businesses. The JPMorgan attack—which began in June and is believed to have originated from Russia—went unnoticed for two months, despite the $250 million in cybersecurity that the bank expected to spend by year’s end. Hackers had gained access to the bank’s servers containing the names, email addresses, phone numbers, and addresses of both current and former customers. The same group of overseas hackers appears to have attempted to infiltrate at least twelve other financial institutions, including Fidelity Investments.
JPMorgan maintains that the hackers were unable to gather detailed information that would be particularly damaging to consumers and that no fraudulent activity has been reported. Passwords, account numbers, social security numbers, dates of birth, and other information valuable to any cyber attacker looking for financial gain remain unperturbed. In a statement to its customers, the bank insisted that customer money was “safe.”
Some have rightly noted that if the attackers were good enough to compromise JPMorgan’s network, they may have left themselves backdoors into its servers that remain undetected. Cybersecurity experts have opined that there is a possibility that “ghost” or undetected intrusions may still be of concern. It remains unclear exactly how much information the hackers accessed, but the number of those affected makes the breach one of the largest ever. Indeed, the hackers may have also been sending a message to the bank, industry, and U.S. government about their capabilities with the extent and reach of their intrusion.