Cyberattack at JPMorgan Chase Also Hit Website of Bank’s Corporate Race

By Matthew Goldstein, Nicole Perlroth and Jessica Silver-Greenberg

October 15, 2014 10:01 pmOctober 15, 2014 10:01 pm

Photo

Hackers infiltrated the JPMorgan Chase Corporate Challenge website, gaining participants’ passwords and contact information.Credit Boris Roessler/Deutche Presse-Agentur, via AP Images

 

The JPMorgan Chase Corporate Challenge, a series of charitable races held each year in big cities across the world, is one of those feel-good events that bring together professionals from scores of big companies.

It was also a target for the same cyberthieves who successfully breached the bank’s digital perimeters, compromising the accounts of 76 million households and seven million small businesses, according to people with knowledge of the matter.

The JPMorgan Chase Corporate Challenge website, which is managed by an outside vendor, has been conspicuously inaccessible since early August, with visitors to the site seeing only a lonely list of coming races. The link between the breach on that website and the broader attack, which the bank said did not compromise any financial information, has not been previously reported.

The bank said it discovered the breach in the Corporate Challenge website on Aug. 7, about a week after it learned of the broader intrusion into its computer network. By infiltrating the race website, hackers were able to gain access to passwords and contact information for participants, the bank informed them.

The website — maintained and run by an outside firm and connected to the Internet by a small company in Ann Arbor, Mich. — was one of several gateways that hackers tested to delve deeply into JPMorgan’s internal systems. Ultimately, the hackers found multiple entry points, the people said, but the race website was not among them. One route that proved somewhat successful was through an older human resources system at the bank.

Patricia Wexler, a JPMorgan spokeswoman, emphasized that the race website was “unconnected to our systems and contained no information about our network.”

The attackers’ persistence in scanning every JPMorgan system and vendor for possible weaknesses exposes a stark new reality for American corporations. They are under almost constant siege by online criminals, and their computer networks, security analysts worry, have become “too big to secure.” Every single system and every single vendor — even those as seemingly innocuous as a website for a charitable race — can be chinks in the most heavily fortified institutions.

“Any organization with a sophisticated information technology system needs to connect its system to systems in other organizations,” said Herbert S. Lin, a computer expert at the National Research Council. The trade-off is “even if the first organization’s system is very secure, vulnerabilities in these other systems provide a route for an attacker.”

He added, “These other organizations are ones that you would least expect to be targets of serious attackers, like the janitorial suppliers or the food vendors.”

In attack after attack, Mr. Lin and other security experts note that when the hackers’ frontal assault fails, they almost always turn to a company’s vendors. At Target last year, for example, hackers used credentials from the retailer’s heating and cooling vendor to gain access to its systems. At a large oil company, hackers took a more creative approach, planting malware in the online takeout menu of a Chinese restaurant frequented by its employees.

JPMorgan has maintained that there has been no evidence of fraud arising from the breaches.

Jamie Dimon, the bank’s chief executive, highlighted the need for greater collaboration and control in the digital security landscape, including over vendors, during an earnings call on Tuesday. Guarding against breaches, he said, goes beyond the bank’s own defenses.

“It’s making sure that all of your vendors you deal with have proper cybercontrol, that all the exchanges have proper cybercontrol,” said Mr. Dimon, who did not specifically mention the Corporate Challenge website. “We have identified this as a huge effort. We’ve been very good at it until this recent breach, which we are not going to make excuses for.”

As the intrusion at JPMorgan reverberated across Wall Street last week, with news that the same hackers who breached JPMorgan also tried to attack at least a dozen other large financial institutions but were largely thwarted, questions proliferated about why the attacks succeeded at JPMorgan, which has plowed hundreds of millions of dollars into its digital defenses.

Within JPMorgan, some people wondered whether the attempted intrusions at other financial institutions were little more than a smoke screen, meant to obscure the real target, according to people with knowledge the investigations.

“We don’t have any indication that the hackers got into JPMorgan through a third-party vendor,” Ms. Wexler said. “We are unaware of any other third-party-vendor-run site that was breached.”

The identity of the vendor that managed the Corporate Challenge website has not been disclosed by either JPMorgan or Online Tech, the company that provided its connection to the Internet and provided security for the vendor’s server. Online Tech, which said it sold space to the vendor for its server, learned of the Corporate Challenge website breach just this week when contacted by a reporter. Online Tech also did not know the vendor was managing a website for JPMorgan.

The vendor also never notified Online Tech that hackers had infiltrated the race website. But that is not unusual in the Internet-hosting business, says a person familiar with industry practices.

The vendor managing the Corporate Challenge website did not buy a specialized security package offered by Online Tech. It is unclear what security systems the vendor used on its own, but the Online Tech security package — which includes firewall and antivirus protection, log and file monitoring, vulnerability scanning and two-factor authentication — could have made it easier for the hosting company to detect the intrusion earlier.

“The client hosting the JPMorgan Chase Corporate Challenge website chose to manage their own monitoring and security and not purchase any of our security and compliance services,” said Shawn Fergus, director of marketing for Online Tech, which has more 300 customers. “This does not mean that safeguards were not in place.”

Mr. Fergus noted that, to the company’s knowledge, no other client of Online Tech was affected by the breach of the Corporate Challenge website.

At least one person with knowledge of the investigation said hackers might have been able to breach the site using some user names and passwords that were stolen by a Russian crime ring. Hold Security, a Milwaukee firm, said in August that it had discovered that a band of Russian cybercriminals had stolen more than a billion passwords and 500 million email addresses from more than 420,000 websites.

The developments, security analysts say, underline the challenges for corporations in monitoring the security of outside vendors.

Mr. Dimon acknowledged last week that the $250 million a year that JPMorgan is spending on online security may not be enough to deal with the problem, and he expects the bank to roughly double that over the next few years.

It also remains unclear whether an exodus of some important security personnel from JPMorgan to First Data, a payment-processing company, left the bank vulnerable to a breach, the people with knowledge of the investigation said.

Over the last several months, several staff members followed Frank Bisignano, JPMorgan’s former co-chief operating officer, to First Data, including its digital security czar, Anthony Belfiore. Dozens of other lower-level security employees also made the move to First Data, but most of Mr. Belfiore’s team remained at the bank.

In June — coincidentally, just as it is thought the attack was beginning — the bank hired Greg Rattray, a former Air Force official who specializes in online defense, as its new head of information security.

JPMorgan is continuing to hire as it bolsters its digital security. A review of LinkedIn found about a dozen job postings for online security over the last two months, including positions for experts in detecting web malware and data security engineering.

But the bank, like most other large corporations in its predicament, may have a hard time. “The reality is, everyone is hiring security professionals,” said Dan Kaminsky, a security researcher, “and there aren’t really enough to go around.”

Trading Revenue Lifts JPMorgan Chase Back to Profit in 3rd Quarter

By NATHANIEL POPPER

The earnings were hampered by the $1.1 billion the bank set aside for legal costs, much of it to deal with an investigation into potential manipulation of the foreign exchange market by the biggest banks.

Obama Had Security Fears on JPMorgan Data Breach

By MICHAEL CORKERY, JESSICA SILVER-GREENBERG and DAVID E. SANGER

Officials say no one could answer what the president wanted to know most: What was the motive of the attack?

Michael Corkery contributed reporting.

Correction: October 16, 2014
An earlier version of this article described imprecisely the relationship between the vendor responsible for the JPMorgan Chase Corporate Challenge website and Online Tech, a small company in Ann Arbor, Mich. Online Tech provides power, the Internet connection and space for the vendor's server; it does not host the website on its own servers.