Computer hackers targeted JPMorgan Chase & Co. and at least four other banks in a coordinated attack on major financial institutions this month, according to a U.S. official.
The attack led to the theft of customer data that could be used to drain accounts, according to another person briefed by U.S. law enforcement. The two people, who asked not to be identified because the investigation is continuing, discussed the incident after Bloomberg News reported a breach on banks Aug. 27.
Hackers targeted customer and employee information, said a third person involved in the investigation, who was also briefed by the government. The theft involved gigabytes of data, said several people familiar with the attacks. The scale indicates a potential for significant financial fraud.
Most thefts of financial information involve retailers or personal computers of consumers. Stealing data from big banks is rare, because they have elaborate firewalls and security systems.
The Bloomberg report said the FBI is investigating whether Russian hackers attacked JPMorgan and at least one other bank in retaliation for sanctions on the country over its involvement in the Ukraine military conflict. New York-based JPMorgan declined to comment on whether it was a victim of hacking, while saying the bank has multiple layers of defense to fend off data thefts.
"Companies of our size unfortunately experience cyber attacks nearly every day," Patricia Wexler, a JPMorgan spokeswoman, said in an e-mail.
JPMorgan hasn't detected any unusual activity or fraud thus far, said a person with knowledge of the matter.
Authorities are looking for signs the stolen data has been used to move money from accounts. No such activity had been spotted as of this afternoon, the U.S. government official said. The absence of fraud provides some support that the hack could have been politically motivated.
J. Peter Donald, a Federal Bureau of Investigation spokesman in New York, declined to comment.
Companies are vulnerable to hackers from multiple avenues. Security researchers scanning JPMorgan's networks found malicious software on computers in Hong Kong and India capable of stealing banking and other sensitive data. That review was separate from the attacks being investigated by the FBI.
The researchers found JPMorgan's Hong Kong office was infected in July with the Zeus Trojan horse malware, which can steal banking credentials, said one of the researchers who asked not to be named because the review was private. An office in India was found last week to be infected with the Sality malware, which can steal data and compromise Web servers, the researcher said.
Wexler declined to comment on the Asian security report.
In the latest attack on the U.S. financial system, the use of a software flaw known as a "zero-day" in one bank's website and the way the criminals navigated through elaborate layers of security indicates a degree of skill beyond an ordinary hacker, said two of the people familiar with the attacks. Zero-day refers to the fact that developers don't know the vulnerability exists, making it easy for hackers to take remote command of a computer.
JPMorgan Chase spends about $200 million each year to protect itself from cyber attacks, Chief Executive Officer Jamie Dimon wrote in an April 2013 letter to shareholders.
"This number will grow dramatically over the next three years," Dimon said. "More than 600 employees across the firm are dedicated to the task. And this number likely will grow as well."
It couldn't be determined whether this month's data thefts at banks resulted in any financial losses for consumers. The people didn't specify whether the stolen information included account numbers, passwords or credit-card numbers.
Banks must disclose when customer data is breached, a process that can take days or weeks. Companies often don't immediately know what information was taken or who was affected. If a theft leads to losses, consumers have more protections than corporations.
Customers concerned that their data can be stolen should protect themselves by establishing a second level of authentication for anyone trying to access a bank account. An example would be a text message that must be responded to login. While it's easy for a bank to cancel and reissue credit and debit cards, shutting a deposit account can be more difficult.