JP Morgan hack may have been a message from Putin

US intelligence officials are saying that last week's computer hack on JP Morgan's system that may have affected as many as 83 million American households and businesses could have been a message to the US government and Wall Street from Russian President Vladimir Putin. It turns out that 9 other big financial institutions were also attacked by the same gang.

The New York Times is reporting that the hackers were from Russia and had a loose connection to the Putin government.

The huge cyberattack on JPMorgan Chase that touched more than 83 million households and businesses was one of the most serious computer intrusions into an American corporation. But it could have been much worse.

Questions over who the hackers are and the approach of their attack concern government and industry officials. Also troubling is that about nine other financial institutions — a number that has not been previously reported — were also infiltrated by the same group of overseas hackers, according to people briefed on the matter. The hackers are thought to be operating from Russia and appear to have at least loose connections with officials of the Russian government, the people briefed on the matter said.

It is unclear whether the other intrusions, at banks and brokerage firms, were as deep as the one that JPMorgan disclosed on Thursday. The identities of the other institutions could not be immediately learned.

The breadth of the attacks — and the lack of clarity about whether it was an effort to steal from accounts or to demonstrate that the hackers could penetrate even the best-protected American financial institutions — has left Washington intelligence officials and policy makers far more concerned than they have let on publicly. Some American officials speculate that the breach was intended to send a message to Wall Street and the United States about the vulnerability of the digital network of one of the world’s most important banking institutions.

“It could be in retaliation for the sanctions” placed on Russia, one senior official briefed on the intelligence said. “But it could be mixed motives — to steal if they can, or to sell whatever information they could glean.”

The attack was discovered in July and technicians were able to stop the hackers before they penetrated data that contained highly sensitive and personal information:

The JPMorgan hackers burrowed into the digital network of the bank and went down a path that gave them access to information about the names, addresses, phone numbers and email addresses of account holders. They never made it into where the more critical financial information and personal information are stored.

The bank’s security team, which first discovered the attack in late July, managed to block the hackers before they could compromise the most sensitive information about tens of millions of JPMorgan customers, said several security experts and others briefed on the matter. The attack was not completely halted until the middle of August and it was only in recent days that the bank began to tally its full extent.

One of the big issues raised by the hacks is when should a company inform its customers that their personal information had been compromised? The hack was discovered in July and we're just finding out about it now? This goes beyond airing a company's dirty laundry and admitting it's vulnerable. Consumers should have the right to protect themselves.

It may be that some delay is necessary as authorities seek to track the hackers. Disclosing to the criminals that they've been discovered would result in them breaking off the attack and disappearing before vital information about the hack has been discovered.

But as with the Target attack, which compromised tens of millions of credit and debit card numbers, JP Morgan didn't inform their customers for many weeks. It would appear that this is an instance of the law being behind the curve of technology, and some provision should be made to notify consumers of a hack in a timely manner.

US intelligence officials are saying that last week's computer hack on JP Morgan's system that may have affected as many as 83 million American households and businesses could have been a message to the US government and Wall Street from Russian President Vladimir Putin. It turns out that 9 other big financial institutions were also attacked by the same gang.

The New York Times is reporting that the hackers were from Russia and had a loose connection to the Putin government.

The huge cyberattack on JPMorgan Chase that touched more than 83 million households and businesses was one of the most serious computer intrusions into an American corporation. But it could have been much worse.

Questions over who the hackers are and the approach of their attack concern government and industry officials. Also troubling is that about nine other financial institutions — a number that has not been previously reported — were also infiltrated by the same group of overseas hackers, according to people briefed on the matter. The hackers are thought to be operating from Russia and appear to have at least loose connections with officials of the Russian government, the people briefed on the matter said.

It is unclear whether the other intrusions, at banks and brokerage firms, were as deep as the one that JPMorgan disclosed on Thursday. The identities of the other institutions could not be immediately learned.

The breadth of the attacks — and the lack of clarity about whether it was an effort to steal from accounts or to demonstrate that the hackers could penetrate even the best-protected American financial institutions — has left Washington intelligence officials and policy makers far more concerned than they have let on publicly. Some American officials speculate that the breach was intended to send a message to Wall Street and the United States about the vulnerability of the digital network of one of the world’s most important banking institutions.

“It could be in retaliation for the sanctions” placed on Russia, one senior official briefed on the intelligence said. “But it could be mixed motives — to steal if they can, or to sell whatever information they could glean.”

The attack was discovered in July and technicians were able to stop the hackers before they penetrated data that contained highly sensitive and personal information:

The JPMorgan hackers burrowed into the digital network of the bank and went down a path that gave them access to information about the names, addresses, phone numbers and email addresses of account holders. They never made it into where the more critical financial information and personal information are stored.

The bank’s security team, which first discovered the attack in late July, managed to block the hackers before they could compromise the most sensitive information about tens of millions of JPMorgan customers, said several security experts and others briefed on the matter. The attack was not completely halted until the middle of August and it was only in recent days that the bank began to tally its full extent.

One of the big issues raised by the hacks is when should a company inform its customers that their personal information had been compromised? The hack was discovered in July and we're just finding out about it now? This goes beyond airing a company's dirty laundry and admitting it's vulnerable. Consumers should have the right to protect themselves.

It may be that some delay is necessary as authorities seek to track the hackers. Disclosing to the criminals that they've been discovered would result in them breaking off the attack and disappearing before vital information about the hack has been discovered.

But as with the Target attack, which compromised tens of millions of credit and debit card numbers, JP Morgan didn't inform their customers for many weeks. It would appear that this is an instance of the law being behind the curve of technology, and some provision should be made to notify consumers of a hack in a timely manner.