2014 JPMorgan Chase data breach

The 2014 JPMorgan Chase data breach was a cyberattack against American bank JPMorgan Chase that is believed to have compromised data associated with over 83 million accounts—76 million households (approximately two out of three households in the country) and 7 million small businesses.^[1] The data breach is considered one of the most serious intrusions into an American corporation's information system and one of the largest data breaches in history.^[2][3][4]

2014 JP Morgan Data Breach

Time	2011 – May 2015
Duration	c. 3 Years 6 Months
Location	New York City
Type	Data breach
Arrests	4
Suspects	4
Accused	4
Convictions	4

The cyberattack

The attack—disclosed in September 2014—was discovered by the bank's security team in late July 2014, but not completely halted until the middle of August.^[3][5] The bank declared that financial and login information associated with the accounts (such as social security numbers or passwords) were not compromised but names, email, postal addresses, and phone numbers of account holders were obtained by hackers, raising concerns of potential phishing attacks.^[4][6] The hackers obtained a list of JPMorgan's applications and programs, using it to identify vulnerabilities and gain entry.

The attack targeted nine other major financial institutions alongside JPMorgan Chase.^[3][7] As of October 9, the only other company believed to have had data stolen is Fidelity Investments,^[8] but investigators reported that the attack attempted to infiltrate the networks of banks and financial companies such as Citigroup, HSBC Holdings, E*Trade, Regions Financial Corporation and payroll-service firm Automatic Data Processing (ADP).^[9]

The breach occurred at a time when consumer trust in digital security was already fragile due to recent breaches at major retailers.^[10]

Indictments and extradition

US federal indictments were issued against four hackers in the massive fraud in November 2015.^[11] Two Israelis indicted, Gery Shalon and Ziv Orenstein, were arrested in Israel and were extradited to the U.S. in 2016, which was announced by Israel's Justice Ministry.^[12][13] American hacker Joshua Samuel Aaron had also been part of the indictments.^[14] They were charged with 23 counts of computer hacking affecting over 100 million customers.^[15] In 2017, Shalon pleaded guilty to all 23 counts and made a plea deal with prosecutors, which included forfeiting over $400 million. ^[16] Orenstein avoided additional prison time in 2020 after a five-year course of cooperation with the authorities.^[17] Joshua Samuel Aaron was arrested in Dec 2016.^[18] A fourth individual, Andrei Tyurin (or Andrey Tiurin), was extradited to the US from the Republic of Georgia to face charges in 2018.^[19] He was sentenced to 12 years in prison in 2021.^[20]

JPMorgan Chase's Response

In response to the breach, JPMorgan Chase took several measures, such as doubling its annual security spending from $250 million in 2014 to $500 million within five years.^[21] Also, the firm applied software updates to restrict unauthorized access and prevent further exposure of sensitive information.