Two U.S. states are investigating the theft of 83 million customer records from JPMorgan Chase & Co in a massive cyberattack uncovered over the summer and more may soon join, Reuters learned on Friday.
The Illinois state attorney general's office said it has launched a probe into the hack on the No. 1 U.S. bank by assets.
Connecticut is also investigating, said a person familiar with the matter who was not authorized to publicly discuss the probe.
Special Assistant Attorney General William Brauch, director of the Iowa Department of Justice’s Consumer Protection Division, told Reuters that other states attorneys general are discussing the matter and could launch a joint investigation.
"I would imagine a group will form but that has not happened yet,” he told Reuters on Friday.
News of the actions by the states emerged a day after the bank said in a regulatory filing that customer names, addresses, phone numbers and email addresses were taken in the attack that the bank said surfaced in August. It added that it was continuing to investigate the matter and that customers would not be liable for any unauthorized transactions that were promptly reported to the bank.
When asked to comment on the investigations, JPMorgan spokeswoman Patricia Wexler said the company was careful not to speak more about the breach until it had “complete information.”
She said given the fact that no account information was taken, the bank was not legally required to disclose as much as it has.
However, Cybercrime experts warned that the hack could fuel years of fraud, as criminals use the stolen data to "phish" for customer passwords and ferret out other consumer accounts.
The bank said it has not seen any rise in fraud in the wake of the discoveries, but security researchers said the information that hackers stole, such as addresses, tends to change relatively slowly, which gives criminals a long time to use it.
Their first step will likely be to use the information to send emails to customers purporting to be from JPMorgan Chase. Links embedded in those emails could be used to con customers out of their passwords, a practice known as "phishing."
"Hackers might send out emails saying 'Your JPMorgan Chase account has been breached, please log into our portal and enter your information,'" said Alex Holden, chief executive of Hold Security, a cyber security firm that monitors trade in stolen credentials.
The bank's letter to account holders on its website mid-day on Friday made no mention of "phishing", but it linked to a "frequently asked questions" document whose last answer warned about "phishing". Wexler said the bank is making the warning more prominent on its website.
"The risk is phishing" Wexler said, adding that people should be on the lookout. She said that there is no evidence that account numbers, passwords, user IDs, birthdays, or Social Security numbers were taken.
The stolen data is likely to end up being sold on underground cybercrime exchanges to fraudsters who will use it for "phishing" and other schemes. Holden said it is likely to be broken up into groups based on categories such as zip codes, with wealthy demographics going for higher rates. He estimates that lots of varying sizes would sell for between $1,000 and $15,000, with each of them being resold multiple times.
Such information can be used to craft "phishing" emails to seek other types of online accounts, beyond the initial firm that was breached, particularly when combined with personal details from social networking sites such as Facebook, Google, LinkedIn and Twitter, security researchers warned. Details from social media profiles can provide criminals with rich information that they can use to craft convincing "phishing" emails, including information about family, friends, education and work.
"Social media helps the criminals pursue their trade," said Mark Rowley, assistant commissioner for specialist operations for London's Metropolitan Police.
JPMorgan's Wexler said that the bank is not offering credit monitoring to its customers because no financial information, account data or personally identifiable information was compromised.
JPMorgan disclosed at the end of August that it suspected it had been the victim of a cyberattack, and said it had hired outside forensics experts to help it investigate the matter, which law enforcement is also probing.
In a letter to investors in April, JPMorgan Chase Chairman and Chief Executive Jamie Dimon told investors that the bank expects to spend more than $250 million on cyber security this year, with about 1,000 people focused on the area. The bank's efforts will grow exponentially in the coming years, he added.
(Reporting by Jim Finkle and Karen Freifeld; Additional reporting by Eric Auchard and Steve Slater in London and David Henry in New York; Editing by Dan Wilchins and Bernard Orr)