WASHINGTON - President Obama and his top national security advisers began receiving periodic briefings on the huge cyberattack at JPMorgan Chase and nine other financial institutions this summer, part of a new effort to keep top national security officials as updated on major cyberattacks as they are on Russian incursions into Ukraine or Islamic State attacks.
But in the JPMorgan case, according to officials familiar with the briefings, no one could tell the president what he most wanted to know: What was the motive of the attack? 'The question kept coming back, 'Is this plain old theft, or is Putin retaliating?' one senior official said, referring to the American-led sanctions on Russia. 'And the answer was: We don't know for sure.''
More than three months after the first attacks were found, the source is still unclear and there is no evidence that any money was taken from any institution. But questions are being asked across Wall Street as other targets emerge. At least three companies - Citigroup, E*Trade Financial and HSBC - found that one of the same web addresses used to penetrate JPMorgan had tried to get into their systems, people briefed on the matter say.
The Federal Bureau of Investigation, after being contacted by JPMorgan, took the I.P. addresses that the hackers were believed to have used to breach JPMorgan's computer system to other financial institutions to see whether the same intruders had tried to hack into their systems as well, these people said. The banks also share information among themselves.
The three companies declined to comment. The identities of the other companies could not be learned on Wednesday.
JPMorgan has said that the attackers obtained names and some email addresses, but they did not penetrate far enough to get account information, and that there is no evidence of any illicit movement of money across the 76 million affected households.
The F.B.I. has begun a criminal inquiry into the attacks, and the Secret Service has been involved as well. But across Wall Street, the scale and breadth of the attacks - and the lack of clarity about the identity or motive of the hackers- shows not only the vulnerability of the most heavily fortified American financial institutions, but the difficulty, despite billions of dollars spent in detection technology, in finding the sources of attack.
And because it is so difficult to trace an attack to its source, it is next to impossible to deter one.
'People don't pay a price for attacks,'' the director of the National Security Agency, Adm. Michael S. Rogers, said in an interview earlier this year. 'It's one of our biggest challenges.''
Other questions are being asked about what should be the obligation of financial institutions to report such attacks. A number of state attorneys general, led by the Illinois prosecutor Lisa Madigan and the Connecticut attorney general, George Jepsen, have opened investigations into the JPMorgan breach, according to the people briefed on the matter. The inquiries are looking at whether the bank, the nation's largest, alerted customers about the breaches in a timely matter. Any prolonged delay - a lag between when the bank learned that vast stores of information were pilfered and when they alerted customers - could put consumers at risk, the people said.
Under federal and state law, JPMorgan did not have to alert customers about the breach because the bank determined that only contact information was breached.
Prosecutors in Ms. Madigan's office are discussing whether to update a 2006 Illinois law that requires companies to alert consumers in a timely fashion if their financial information - including Social Security and account numbers - were taken. The debate underway now, the people said, is whether the law should be expanded to also include notification requirements when hackers take only nonfinancial information like email addresses.
'We communicated to customers repeatedly that we had been breached, and hadn't seen unusual fraud levels related to this - first in August, again in mid-September, and most recently last week,' said Patricia Wexler, a JPMorgan spokeswoman. 'We were careful to get far enough along in our internal investigation to have the most complete information, and wanted to be sure we could confidently say no financial information had been compromise
On Tuesday, the offices of Ms. Madigan and Mr. Jepsen held a call with officials at JPMorgan to discuss the attack, the people said. Since the breach at Target last year, prosecutors from both states have been holding monthly calls - part of a broader privacy task force.
JPMorgan has repeatedly said that none of the information taken - names, phone numbers, addresses and emails - has led to any incidents of fraud. Furthermore, the bank points out that no money was stolen from customer accounts.
But security consultants caution that email addresses may be enough information for hackers to engage in 'phishing' expeditions to trick customers into providing them with that additional personal information.
The breach is under investigation from Preet Bharara, the United States attorney in Manhattan, according to a person briefed on the matter.
But actually finding the perpetrators of the attack is a much more daunting task. Thomas G.A. Brown, a senior managing director with FTI Consulting, knows first-hand the difficulty of tracking overseas criminals and bringing them to justice.
Until recently, Mr. Brown was chief of the computer and intellectual property crime unit for the United States attorney's office in Manhattan. Mr. Brown oversaw the indictment of Aleksandr Kalinin, a Russian national charged with hacking into some of the computer systems of the Nasdaq stock market in 2011. Mr. Kalinin remains at large.
Referring to the challenges of piecing together a portrait of the attackers, Mr. Brown said: 'It's not the equivalent of gunshots being fired, a body on the street, and witnesses who see a person with a gun running away.'
The search to determine exactly what the hackers took, and why, gained even more urgency last week, according to several people briefed on JPMorgan's internal investigation. The breach, discovered this summer, was far more extensive than the bank originally realized. This summer, some investigating the breach put the number of compromised accounts at around one million, according to two people briefed on the bank's internal investigation. By last week, as the internal investigation continued, the people said, that number had multiplied exponentially. Bank executives relayed the new details - 76 million households compromised - to its board.
Other disclosures have been more subtle. In a regulatory filing in August, as the bank grappled with the breach, JPMorgan said its board and audit committee 'are regularly apprised' of significant cybersecurity events.
That language did not appear in an earlier regulatory filing from 2013 or in an earlier quarterly report.
The scale of the intrusion and the fact it went undetected for about three weeks has led some to question whether JPMorgan, which has offices around the world and more than 260,000 employees, is 'too big to secure.'
JPMorgan and a number of financial institutions, including E*Trade and Citigroup, were breached before. Last June, the United States attorney in New Jersey, Paul J. Fishman, charged eight people in a connection with an attack that resulted in the theft of $15 million. The lead defendant charged in the case is at large and believed to be living in Ukraine. At the time of the charges, Mr. said that 'cybercriminals penetrated some of our most trusted financial institutions as part of a global scheme that stole money and identities from people in the United States.'
Nicole Perlroth contributed reporting.
0 comments "Obama Had Security Fears on JPMorgan Data Breach"
Post a Comment