By Danny Yadron, Emily Glazer and Devlin Barrett
The Federal Bureau of Investigation is probing a
computer-hacking attack on J.P. Morgan Chase & Co. and as many
as four other banks, in what people familiar with the probe
described as a significant breach of corporate computer
security.
The timing and extent of the hacking attacks weren't immediately
clear, though cybersecurity experts began probing the possible J.P.
Morgan breach earlier this month, according to people familiar with
the investigation.
J.P. Morgan said Thursday morning it isn't seeing "unusual
fraud" and it is working closely with law enforcement to determine
the scope of the attack. The largest U.S. bank by assets added that
it is taking "additional steps" to safeguard sensitive or
confidential information and will contact relevant parties as it
learns more about who may have been impacted.
It stressed customers should contact the bank -- as always -- if
any suspicious activity on their accounts is detected and they will
not be liable for fraud.
People familiar with the investigation said the evidence
gathered so far suggested hackers were able to make a significant
foray into J.P. Morgan's computer system. People with knowledge of
the probe said it appeared between two and five U.S. financial
institutions may have been affected. The names of all targeted
banks couldn't be immediately determined.
J.P. Morgan and federal cyber investigators are in discussions
as they examine the apparent attack on the bank's computer
system.
"Companies of our size unfortunately experience cyberattacks
nearly every day," said Trish Wexler, a J.P. Morgan spokeswoman
said Wednesday. "We have multiple layers of defense to counteract
any threats and constantly monitor fraud levels."
The FBI said Wednesday it is "working with the United States
Secret Service to determine the scope of recently reported cyber
attacks against several American financial institutions."
The attack appears to have been caused by malicious computer
code, known as malware, according to a person familiar with the
matter.
Thefts of U.S. corporate data have in the past often come from
hackers based in China, Russia or the former Soviet Union, though
that doesn't mean the cyberattacks involve those governments. Just
as in the U.S., hackers in those countries can act on their own and
sell stolen data to other organizations.
The style of the attacks and the targets--large U.S. financial
institutions--have led some people briefed on the investigation to
suspect a possible Russian or Eastern European link. Russian
organized crime often targets large financial institutions. But
several people with knowledge of the investigation cautioned it is
too early to tell who was behind the attacks.
Hackers appear to have originally breached J.P. Morgan's network
via an employee's personal computer, a person close to the
investigation said. From there, the intruders were able to move
further into the bank's inner systems. Employees often use software
to tap in to corporate networks from home through what are known as
virtual private networks.
Such an attack would mark the latest instance in which a large
corporate network was breached by a weak external link. When
hackers stole 40 million payment-card numbers from Target Corp.
last year, they originally infiltrated the retailer by stealing a
ventilation contractor's password.
In mid-August, cybercriminals hacked in to nearly 1,000 grocery
stores around the U.S. The common link: Supervalu Inc. of Eden
Prairie, Minn., which managed the stores' technology services and
had remote access to those locations, people familiar with that
incident have said.
In recent weeks, J.P. Morgan called numerous security vendors
with concerns it had a problem, people close to the investigation
said. The bank in recent months hired a number of employees with
Defense Department experience because the firm treats cybersecurity
as a problem akin to military security, people familiar with the
matter said.
Cybersecurity has been a chief concern--and cost--for large
banks over the past few years.
J.P. Morgan, along with other banks, has been vulnerable to
attacks in the past, particularly so-called distributed denial of
service threats, known as DDoS. These attacks knock websites
offline by flooding them with useless traffic. Iranian hackers
aimed a DDoS attack at J.P. Morgan, U.S. Bancorp, PNC Financial
Services Corp. and Wells Fargo & Co. in 2012, according to U.S.
officials.
James Dimon, chairman and chief executive of J.P. Morgan, wrote
in his annual shareholder letter this year that the bank will spend
more than $250 million annually and have about 1,000 people focused
on cybersecurity by the end of 2014. That includes building and
running three Cybersecurity Operations Centers in its regional
headquarters to coordinate incoming information, identify threats,
create response procedures and coordinate security of its buildings
world-wide, he wrote.
"Cyberattacks are growing every day in strength and velocity
across the globe," he wrote. "It is going to be a continual and
likely never-ending battle to stay ahead of it--and, unfortunately,
not every battle will be won."
Write to Danny Yadron at danny.yadron@wsj.com, Emily Glazer at
emily.glazer@wsj.com and Devlin Barrett at
devlin.barrett@wsj.com
Subscribe to WSJ: http://online.wsj.com?mod=djnwires