US Charges Hackers Who Targeted JP Morgan
Federal Prosecutors finally unsealed an indictment of criminal charges against three men who orchestrated what has been described as the "largest theft of customer data from a U.S. financial institution in history." The formal indictment does not name the financial institutions directly, but a Reuters report confirms that JP Morgan Chase and ETrade were amongst the targeted companies.
The indictment alleges that three men -- two Israelis and one American -- co-conspired over the course of years to electronically hack, con, and illegally traffic goods profiting in hundreds of millions. In the words of Manhattan U.S. Attorney Preet Bharara, "The charged crimes showcase a brave new world of hacking and profit ... This was hacking as a business model." The range and extent of their crimes is too massive to list here.
Hacking for Profit
Isreali defendants Gery Shalon (31) and Ziv Orenstein (40) and American co-defendant Joshua Aaron (31) were accused of a range of crimes in connection with massive security hacking over the course of years and the running of illegal gambling operations.
The intrusion into the networks is a study in the security flaws at some of the most trusted financial institutions in America. Aaron set up customer accounts at several financial institutions and gave his login information to Shalon, who promptly used his skills as a hacker to analyze the security flaws of each target company.
Shalon and another co-conspirator then systematically infected the networks with malware in order to extract customer information from the network over the course of months. With access to over 100 million customer's profiles, the men used the information to market stocks and manipulate prices in a systematic "pump-and-dump" operation.
Using the Heartbleed Vulnerability
Shalon and Aaron then moved on to a company with even more financial clout, described in the indictment only as "one of the world's largest financial services corporations, providing [various financial services] with headquarters in Boston Massachusetts." The two men infiltrated the victim's network by utilizing the Heartbleed vulnerability that had been the security scare of 2014. By the time the company in question had addressed and taken care of the vulnerability, Shalon and crew had already made off with a fortune.
Scary Horizons
The operation finally came to an end largely in part because Shalon was too eager to pat himself on the shoulder rather than keep quiet. But the reach and expanse of Shalon and company's criminal enterprise is impressive and frightening. No doubt, there are legions of other potential hackers on the planet who aspire to Shalon's impact and greatness.
If there was ever an incident that should convince financial institutions that cyber-security should be given the highest priority, this is it.
Related Resources:
- Cybersecurity 101: Best Practices Your Firm Should Implement (FindLaw's Strategist)
- Legal Depts Are Too Easy to Hack. Here's How to Protect Yourself (FindLaw's In-House)
- Protect Your Firm From Cyber Attack: Tips to Boost Cyber Security (FindLaw's Technologist)
- Hackers Are Coming After Your Private Data (FindLaw's Technologist)