The details are continuing to leak out from the massive Chase attack this summer, with the New York Times now reporting that a dozen other financial institution were attacked, including Fidelity Investments and E*Trade, which were “victimized in some way by the attacks.”
Deutsche Bank and Bank of America scanned their systems, the story said, and “at least five other banks — ADP, Bank of the West,Citigroup, HSBC and Regions Financial — found that one of the same (IP) addresses used to penetrate JPMorgan had tried to get into their systems.”
The story also noted as state attorney general investigators continue to probe this attack, at least one state is considering asking lawmakers to toughen data-breach-disclosure rules to look beyond stolen payment card information and to require disclosure if even personally identifiable information (PII) is taken, such as Social Security or bank account numbers. Even stolen E-mail addresses are of concern, given how they can make phishing scams much more effective.
Lisa Madigan, the attorney general for Illinois, one of the states considering such a change, said that the Chase attack was among “the most troubling breaches ever,” adding that it proved “there is probably no database that cybercriminals cannot compromise.”
The attack has even prompted the White House to regularly brief President Obama on the ongoing Chase investigation, as “part of a new effort to keep security officials as updated on major cyberattacks as they are on Russian incursions into Ukraine or attacks by the Islamic State.”
But Obama has been frustrated by his briefer’s inability to answer why the attack was launched.
“‘The question kept coming back, “Is this plain old theft or is Putin retaliating?”‘ one senior official said, referring to the American-led sanctions on Russia. ‘And the answer was: “We don’t know for sure.”‘More than three months after the first attacks were discovered, the source is still unclear and there is no evidence any money was taken from any institution.”