Modern field guide to security and privacy
Eric Thayer/Reuters/File
People walk by the JPMorgan Chase Co. building in New York, October 24, 2013.

Cybersecurity mystery at JPMorgan Chase: What were hackers after?

The massive online security breach at JPMorgan Chase has confounded investigators because only customers' contact information appears to have been taken. And there is no evidence that funds were stolen.

The online security breach of JPMorgan Chase has raised puzzling questions about what the overseas hackers were after – and has pointed up just how steep the challenges are to keep information safe online.

In the JPMorgan Chase incident, which is one of the largest online security breaches in history, the hackers were able to access the contact information of 76 million households and 7 million small businesses having accounts with the banking behemoth, the company disclosed Thursday.

The massive incursion, however, has confounded investigators and other cybersecurity experts since only names, mailing addresses, e-mail addresses, and phone numbers appear to have been taken. And so far, there is no evidence that the hack was used to steal funds or gather sensitive account information.

In a filing with the US Securities and Exchange Commission on Thursday, JPMorgan Chase, the largest US bank with nearly $2.5 trillion in assets at the end of 2013, said there was “no evidence” that the hackers accessed account numbers, passwords, user IDs, dates of birth, or Social Security numbers.

But company officials were aware of the breach since July, when they said only 1 million customer accounts were compromised. Thursday’s revelation that the number was actually 83 million shocked cybersecurity experts around the nation.

“I think ‘crazy’ is just the way to describe it – I mean, it’s almost inexplicable,” says Fred Cate, former director of the Center for Applied Cybersecurity Research at Indiana University in Bloomington. “Somebody used a sophisticated technique, we’re told, to break into this major international bank, and all they took were names and addresses?”

Adding to worries is the fact that the hackers, which investigators suspect may have come from Russia or Eastern Europe, according to reports, were able to access more than 90 JPMorgan Chase servers for nearly two months before they were detected, and they had obtained the highest level of administrative privileges, say people with knowledge of the investigation.

“It’s entirely possible the bad guys weren’t even after the information, they were after something else,” Brian Krebs, a cybersecurity investigator, told the Boston Herald. “If they have a month inside your network and they have time to cover their tracks, it could be difficult to find out what they touched.”

The hack at JPMorgan Chase comes after a series of troubling data breaches at some of the nation’s largest retail chains. Last year, hackers were able to access the information of 40 million credit-card and other card holders at Target, as well as 56 million this year at Home Depot.

Other companies, including the sandwich chain Jimmy John’s, the supermarket chain SuperValu, and a number of health-care providers have also reported data breaches this year.

“More than anything, it just raises this control question,” says Mr. Cate, who is also a professor at Indiana University’s Maurer School of Law. “Are our data in control anywhere? It’s not that we’re not winning the war – we don’t even know how bad the casualties are right now.”

“JPMorgan Chase, both for legal reasons and for competition reasons, I think we can assume had pretty good security,” he continues. “And we think of banks as having better security than retailers, for example. Yet when you see a bank breached at this level, with this number of [customers] and at this duration, it really does suggest that we’re not on top of this.”

The battle against hackers, say cybersecurity experts, is a 24/7, 365-day-a-year arms race as new and sophisticated methods of infiltrating networks are constantly evolving. Some “phishing” attacks have been known for decades, but newer, much more advanced “malware” can sneak into networks undetected.

And the United States lacks a centralized, mandatory database of malware “signatures” – the telltale signs of a malicious hack that allow security experts to set up firewalls against them nationwide, experts say.

“Knowing about this breach would certainly make every other bank in the country go back and look for the very same signatures of this type of breach,” says Cate. “And you’d like to think this kind of information would be provided, at least to regulators, as quickly as possible – in hours or days, not months.”

You've read  of  free articles. Subscribe to continue.

Dear Reader,

About a year ago, I happened upon this statement about the Monitor in the Harvard Business Review – under the charming heading of “do things that don’t interest you”:

“Many things that end up” being meaningful, writes social scientist Joseph Grenny, “have come from conference workshops, articles, or online videos that began as a chore and ended with an insight. My work in Kenya, for example, was heavily influenced by a Christian Science Monitor article I had forced myself to read 10 years earlier. Sometimes, we call things ‘boring’ simply because they lie outside the box we are currently in.”

If you were to come up with a punchline to a joke about the Monitor, that would probably be it. We’re seen as being global, fair, insightful, and perhaps a bit too earnest. We’re the bran muffin of journalism.

But you know what? We change lives. And I’m going to argue that we change lives precisely because we force open that too-small box that most human beings think they live in.

The Monitor is a peculiar little publication that’s hard for the world to figure out. We’re run by a church, but we’re not only for church members and we’re not about converting people. We’re known as being fair even as the world becomes as polarized as at any time since the newspaper’s founding in 1908.

We have a mission beyond circulation, we want to bridge divides. We’re about kicking down the door of thought everywhere and saying, “You are bigger and more capable than you realize. And we can prove it.”

If you’re looking for bran muffin journalism, you can subscribe to the Monitor for $15. You’ll get the Monitor Weekly magazine, the Monitor Daily email, and unlimited access to

QR Code to Cybersecurity mystery at JPMorgan Chase: What were hackers after?
Read this article in
QR Code to Subscription page
Start your subscription today