JPMorgan Chase — 2014 customer data breach

In June 2014 attackers breached a JPMorgan Chase web server that had been overlooked during the bank’s project to enforce two-factor authentication on every internet-facing system. The server in question was a perimeter web host that had been upgraded with new hardware and a fresh OS but never re-onboarded into the 2FA programme. The attackers obtained credentials for an account that had access to that server and used the credential pair — without 2FA challenge — to gain entry. From there they spread laterally through the bank’s internal network, eventually reaching a database that held contact details for around 83 million customer records: 76 million household accounts and 7 million small-business accounts. Names, addresses, phone numbers and email addresses were exfiltrated. Account numbers, passwords, dates of birth and Social Security numbers, the bank confirmed in its 8-K filing, were not reached.

The intrusion was discovered in late July when the bank’s security team noticed unusual queries against the customer-data store. Investigators concluded the attackers had been on the network for approximately two months. The bank disclosed the breach publicly in October 2014, after the FBI permitted disclosure following its own investigation.

The attribution that emerged in 2015 was unusual. The FBI and Manhattan US Attorney’s Office indicted Gery Shalon and Ziv Orenstein, two Israeli nationals, and Joshua Samuel Aaron, an American, for what prosecutors described as the largest computer-hacking and securities-fraud scheme in US history. The crew had used the JPMorgan customer list — together with similar lists exfiltrated from Scottrade, Dow Jones, E*Trade and others — to run “pump-and-dump” stock manipulation schemes targeting the breach victims as marketing leads. Shalon also ran an unlicensed Bitcoin exchange and an online payment processor used to launder the proceeds of pharmacy spam and online gambling. The JPMorgan list was, in the indictment’s framing, the customer-acquisition database for a multi-billion-dollar fraud business. Shalon pleaded guilty in 2017.

Defender takeaway: the entry point was a single asset that fell out of an asset inventory. JPMorgan’s information-security spend at the time was reported to be approximately $250 million annually. None of that prevented an entry that was, in technical terms, an old-fashioned credential reuse on an unhardened server. The lesson is the brutally banal one — every internet-facing asset must be enrolled in the controls programme on day one, and an asset inventory that depends on humans remembering to add new servers will eventually miss one. The downstream lesson is that lateral movement from a perimeter web host to a customer-data warehouse should not be possible in a 2014 enterprise architecture, and is even less defensible in a 2026 one. The customer database was reached because the network design assumed the perimeter could keep attackers out. Once the perimeter was breached, there was nothing inside to slow them down.