JPMorgan Chase last week confirmed that hackers managed to access personal data for more than 83 million customers, including 76 million households and seven million small-business online accounts, but The New York Times reveals that the largest bank in the U.S. isn’t the only one to have been hit. It appears that other nine, unnamed, financial institutions have also been targeted by the same mysterious hackers group, which also managed to steal some critical security data from JPMorgan on top of personal data.
Hackers were apparently able to access only names, addresses, phone numbers and email addresses for compromised accounts, but did not get actual financial information, or social security numbers. Furthermore, they were able to determine whether the accounts were private bank accounts or fell in other business categories such as mortgages.
The Times also says that it’s not clear why hackers chose to hunt for customer information rather than go for financial data, with JPMorgan revealing that it has not received any reports related to the massive data breach detailing fraudulent use of customers’ data.
What’s clear is that hackers were apparently able to access 90 servers in JPMorgan’s computer network completely undetected for several weeks. In addition to personal customer data, hackers gained access to something more valuable — a list of every application and program the bank uses to protect its servers — which could let them perform similar attacks in the future by taking advantage of potential security flaws in those programs.
“It’s as if they stole the schematics to the Capitol — they can’t just switch out every single door and window pane overnight,” one former employee said.
For JPMorgan, “swapping out those programs is costly and time-consuming, people say, because the bank would have to renegotiate licensing deals with technology suppliers and swap out programs and applications for hundreds of thousands of bank employees,” as the Times reports.