BOSTON (Reuters) – Two U.S. states are investigating the theft of 83 million customer records from JPMorgan Chase & Co (JPM.N) in a massive cyber attack uncovered over the summer, and more may soon join, Reuters learned on Friday.
Illinois Attorney General Lisa Madigan said she has launched a probe into the hack on the No. 1 U.S. bank by assets.
Connecticut is also investigating, said a person familiar with the matter who was not authorized to publicly discuss the probe.
“A breach of this size and significance demands a comprehensive response from the highest level of our government,” Madigan said in a statement. “Thorough investigations of major breaches must be done, and the results must be shared with the public whose information and financial security is at risk, or consumer confidence will be further diminished.”
Special Assistant Attorney General William Brauch, director of the Iowa Department of Justice’s Consumer Protection Division, told Reuters that other states attorneys general are discussing the matter and could launch a joint investigation.
“I would imagine a group will form, but that has not happened yet,” he told Reuters.
News of the actions by the states emerged a day after the bank said in a regulatory filing that customer names, addresses, phone numbers and email addresses were taken in the attack that the bank said surfaced in August. It added that it was continuing to investigate the matter and that customers would not be liable for any unauthorized transactions that were promptly reported to the bank.
When asked to comment on the investigations, JPMorgan spokeswoman Patricia Wexler said the company was careful not to speak more about the breach until it had “complete information.”
She said that, given the fact that no account information was taken, the bank was not legally required to disclose as much as it has.
However, cybercrime experts warned that the hack could fuel years of fraud, as criminals use the stolen data to “phish” for customer passwords and ferret out other consumer accounts.
The bank said it has not seen any rise in fraud in the wake of the discoveries, but security researchers said the information that hackers stole, such as addresses, tends to change relatively slowly, which gives criminals a long time to use it.
Their first step will likely be to use the information to send emails to customers purporting to be from JPMorgan Chase. Links embedded in those emails could be used to con customers out of their passwords, a practice known as “phishing.”
“Hackers might send out emails saying ‘Your JPMorgan Chase account has been breached, please log into our portal and enter your information,’” said Alex Holden, chief executive of Hold Security, a cyber security firm that monitors trade in stolen credentials.
The bank’s letter to account holders on its website on Friday made no mention of “phishing,” but it linked to a “frequently asked questions” document whose last answer warned about “phishing.” Wexler said the bank is making the warning more prominent on its website.
“The risk is phishing” Wexler said, adding that people should be on the lookout. She said that there was no evidence that account numbers, passwords, user IDs, birthdays, or Social Security numbers were taken.
The stolen data is likely to end up being sold on underground cybercrime exchanges to fraudsters who will use it for “phishing” and other schemes. Holden said it is likely to be broken up into groups based on categories such as zip codes, with wealthy demographics going for higher rates. He estimates that lots of varying sizes would sell for between $1,000 and $15,000, with each of them being resold multiple times.
Such information can be used to craft “phishing” emails to seek other types of online accounts, beyond the initial firm that was breached, particularly when combined with personal details from social networking sites such as Facebook (FB.O), Google (GOOGL.O), LinkedIn LNKD.N and Twitter (TWTR.N), security researchers warned. Details from social media profiles can provide criminals with rich information that they can use to craft convincing “phishing” emails, including information about family, friends, education and work.
“Social media helps the criminals pursue their trade,” said Mark Rowley, assistant commissioner for specialist operations for London’s Metropolitan Police.
JPMorgan’s Wexler said that the bank is not offering credit monitoring to customers because no financial information, account data or personally identifiable information was compromised.
JPMorgan disclosed at the end of August that it had hired outside forensics experts to help it investigate a possible cyberattack.
The bank said in April that it expects to spend more than $250 million on cybersecurity this year, with about 1,000 people focused on the area. The bank’s efforts will grow exponentially in the coming years, it added.