Computer hackers carried out a coordinated cyber attack on JPMorgan Chase and at least four other banks this month, a U.S. official said Wednesday.
Bloomberg first reported the breach, which included theft of customer data as well as employee information. According to people involved in the investigation, the hackers accessed gigabytes of information — enough to indicate "a potential for significant financial fraud."
The FBI has begun investigating the case and is "working with the United States Secret Service to determine the scope of recently reported cyber attacks against several American financial institutions," FBI spokesman Paul Bresson said in a statement.
The identities and motives of the intruders are unclear, though sources have told USA Today that Russian or Eastern European hackers were likely the attackers.
In an email statement to The Wire, Greg Kazmierczak, CTO of computer security company Wave Systems, said the attackers "performed a zero-day attack to gain initial access to the network."
"By definition, this means they leveraged a vulnerability, or flaw, that was previously unknown," he said. "There is no such thing as fool-proof security; especially when the attacker is a well-funded, highly-skilled, and highly motivated nation-state."
Still, attacking large banks like JPMorgan Chase is uncommon — if hackers wanted financial information, they usually do so by attacking personal computers and retailers. Big banks have more sophisticated security systems, posing a greater challenge to accessing information that hackers can find more easily elsewhere. In fact, in an April 2013 letter to shareholders, JPMorgan CEO Jamie Dimon wrote that the bank spends about $200 million each year on cyber defenses.
JPMorgan spokeswoman Patricia Wexler, however, said in a statement to Bloomberg that the bank is always on the lookout for security breaches.
"Companies of our size unfortunately experience cyber attacks nearly every day," she said. "We have multiple layers of defense to counteract any threats and constantly monitor fraud levels." They say they have not seen any unusual fraud activity since the attack.