By Danny Yadron And Emily Glazer
J.P. Morgan Chase & Co. may not have discovered the breach
in its computer systems as quickly this past summer if it hadn't
gone looking for trouble elsewhere, people briefed on the
investigation said.
The bank learned hackers stole contact data for 76 million
households and 7 million small businesses because the intruders had
used some of the same offshore servers to hack both the bank and a
corporate charity race website, whose breach was discovered
first.
The previously unreported account of the incident shows J.P.
Morgan was both ahead of the curve and behind it while
investigating its massive data breach. On the one hand, the bank's
investigators discovered the incident on their own by looking
outside their sprawling network. On the other, the hackers were in
the bank's network for months undetected and only revealed
themselves because of an apparent slip-up.
In early August, a security vendor announced he had located a
massive trove of email addresses and passwords that hackers had
amassed from thousands of websites over the years. Buried in the
cache: an indication the hackers hit the website for the J.P.
Morgan Chase Corporate Challenge, a series of charity running races
sponsored by the bank, people briefed on the investigation
said.
The vendor, Hold Security Inc., is run by Alex Holden, an expert
in Russian cybercrime. Mr. Holden declined to comment on whether he
had indications the Corporate Challenge website was hacked.
J.P. Morgan and its security vendors discovered the cache
included information from the Corporate Challenge website, which is
managed by an outside company and isn't connected the bank's
network. The bank says it doesn't believe that the corporate
challenge website was an entry point for hackers into the bank's
servers.
Investigators at the bank linked that breach back to several
overseas I.P. addresses. Then they queried J.P. Morgan's own
network logs to see if there had been any communication with those
addresses.
There were. The bank discovered that hackers had been in its
system since at least June. The investigators ultimately linked the
attack to 11 I.P. addresses that were distributed anonymously to
other banks in mid-August.
Several of those I.P. addresses, viewed by The Wall Street
Journal, link back to Eastern Europe, including Russia. Other
addresses could be linked to Egypt and Brazil, according to a
search of public Internet records.
A J.P. Morgan spokeswoman said all known hacker entry points to
J.P. Morgan's systems were shut down in August. The Federal Bureau
of Investigation, which is leading the probe, didn't immediately
comment.
In recent weeks, the investigation has been hampered, the people
said, because hackers deleted many of the log files that tracked
their movements through the bank's network.
But federal and private investigators have reached some initial
conclusions. For one, numerous indications suggest the J.P. Morgan
hackers spoke Russian. This view is buttressed, investigators say,
by the links to Mr. Holden's database, which he has said traced to
the Russian criminal underground.
One complicating matter: Russian spies and criminals are
believed to use some of the same hacking tools, which can blur the
lines of responsibility. One U.S. official briefed on the probe
said the J.P. Morgan case has been hard to pin down and described a
"gray area" between the work of Russian spies and criminals.
Financial-service industry executives point out that the bank,
which is planning to spend $250 million this year on cybersecurity,
was able to block the hackers from going after the most sensitive
data--market strategy or customer account information.
But they also acknowledge they are concerned hackers could gain
a foothold in J.P. Morgan's network for about two months without
tipping off the bank. People briefed on the investigation said the
bank had no indication there was a problem before investigating the
Corporate Challenge breach.
If the hackers hadn't used the same I.P. addresses to launch
cyberattacks on both the bank and race websites, it isn't clear
when the bank would have discovered the problem, the people
said.
The hackers originally got into J.P. Morgan's network by
compromising the computer an employee with special privileges used
at both work and at home, two people briefed on the investigation
said.
From there, the hackers were able to move across the bank's
network to access contact data.
After finding the breach, J.P. Morgan security staff distributed
the 11 I.P. addresses anonymously to a bank cybersecurity
association, called the Financial Services Information Sharing
Analysis Center, or FS-ISAC. The move triggered a notification to
other banks, which began to check if they too had been hacked.
All told, the hackers targeted at least 13 financial firms and
stole data from several of them, including Fidelity Investments
Inc. The names of the other firms that lost data couldn't be
learned. Fidelity has said "there is no indication Fidelity
customer accounts, information, services or systems were
affected."
J.P. Morgan's chief executive, James Dimon, recently has said
the bank will double its spending on cybersecurity. In the past
month, its executives have reached out to other cybersecurity
experts to discuss which technologies to spend that money on,
people familiar with the meetings said.
Devlin Barrett contributed to this article.
Write to Danny Yadron at danny.yadron@wsj.com and Emily Glazer
at emily.glazer@wsj.com
Subscribe to WSJ: http://online.wsj.com?mod=djnwires