Hackers breached JP Morgan network for two months before being discovered

03 Nov 2014

It took banking and financial services giant JP Morgan Chase & Co two months to discover that Russian hackers had breached sensitive information for 76 million households and 7 million small businesses, Reuters reported.

Using offshore servers, hackers gained access to the bank's network as also the JPMorgan Corporate Challenge website to unlock a billion stolen passwords and usernames from 420,000 websites. The attack was finally uncovered by Milwaukee-based web security consulting firm Hold Security.

The companies first discovered that the hackers had managed to get the website certificate for Simmco Data Systems, the site vendor of the Corporate Challenge, using which the hackers were able to gain access to communications between the website and those who visited it. The communications included sensitive information such as passwords and emails.

Clients first learned of the breach in August when they were notified by Hold Security. After examination of their own network, JPMorgan realised its own data had been breached.

The hackers initially breached the systems through the computer of an employee who had been granted special privileges. The breach was then used to widen it to the rest of the network to grab contact information.

After JP Morgan came to know about the  hacking, the company took down the Corporate Challenge site, and later restored it for upcoming events in Asia.

What was however most disconcerting was that the hackers spent two months inside the bank's network without being detected by either the bank or law enforcement agencies. The security vendor could detect them only due to a slip-up.

The hackers, according to the consulting firm, had infiltrated more than 420,000 websites, The New York Times reported. The newspaper had reported the discovery of the attack on 5 August but in the days leading up to that report, some companies, including JPMorgan, had received a preview of its findings, according to people briefed on the matter.

Accounts from these and other sources indicated that in late July, Hold Security began sharing the information on the stolen passwords with some of its clients.

This made some security specialists at JPMorgan suspect that hackers had gained access to its systems due to some unusual activity.

The data pointed to a big problem at the website for the JPMorgan Chase Corporate Challenge, which had some of the password combinations and e-mails used by race participants who had registered on the Corporate Challenge website.

The website run by an outside vendor is the online platform for annual charitable races sponsored by JPMorgan sponsors in major cities.