Prosecutors yesterday announced charges connected to massive network intrusions at U.S. financial institutions, brokerage firms and major news publications, among other companies. And the latest headlines suggest that the massive 2014 JPMorgan hack was linked to the largest cybersecurity breach ever.
Authorities allege that Gerry Shalon, Joshua Samuel Aaron and Ziv Orenstein, orchestrated “massive computer hacking crimes,” including the largest theft of customer data from a U.S. financial institution in history. While it’s unclear what part, if any, these men played in the JPMorgan hack, JPMorgan did tell CNNMoney that it is the unidentified bank mentioned in federal documents.
Sharon and Orenstein were arrested in July by the Israel Police while Aaron remains at large. All told, the defendants stole the personal information of over 100 million people. JPMorgan was one of the institutions that was hit and cooperated with law enforcement to find and arrest the suspects. Last October, JPMorgan admitted 76 million households had been compromised in a cyberattack of mass proportions. On top of that another 7 million small businesses were compromised.
Brave New World
From about 2012 to about the middle of 2015, the defendants did their dirty work. The defendants also worked to manipulate the prices of publicly traded stocks in the United States by marketing stocks to customers whose information they had stolen in the hack.
“As set forth in the indictment, these three defendants perpetrated one of the largest thefts of financial-related data in history — making off with the sensitive information of literally thousands of hard-working Americans,” said U.S. Attorney General Loretta Lynch. “In an age when enormous quantities of vital information are stored in digital format on potentially vulnerable Internet-connected devices, public-private partnerships and information sharing are more critical than ever.”
Manhattan U.S. Attorney Preet Bharara said the charged crimes showcase a “brave new world” of hacking for profit. Bharara was clear: The bad guys are no longer hacking just to get fast paychecks — they are hacking to support a diversified criminal conglomerate.
Software Not Enough?
We turned to Tim Erlin, Tripwire’s director of IT security and risk strategy, to get his thoughts on the news. While people tend to focus on the technical tools to prevent these types of cyberattacks, he told us these indictments are a good reminder that partnerships with law enforcement can provide more traditional tools for fighting cybercrime.
“If cybercriminals aren’t likely to get away with their crimes, they’ll be forced to change their tactics,” Erlin said. Indeed, for all the talk of security solutions, getting caught red handed by authorities and possibly serving jail time could be stronger deterrents for others who may be looking to go down the same path.
“Hopefully we’ll hear more about how JPMorgan was able to partner with law enforcement. This type of information sharing can be educational for others in the industry and result in better preparation and cooperation,” Erlin said. “Long after the public has largely forgotten about a cyberattack, law enforcement is continuing to pursue the perpetrators.”
