Skip to content
Cyber Breaches
Search
Data breachResolved

JPMorgan Chase data breach

Attackers exploited a server missing two-factor authentication to breach more than 90 JPMorgan Chase servers and steal contact details for 76 million households and 7 million small businesses — one of the largest intrusions ever into a U.S. financial institution.

Victim
JPMorgan Chase
records
83.0M
users
83.0M
SectorFinance
CountryUnited States
Threat actorShalon/Aaron/Orenstein fraud network (DOJ attribution)
Named attackersGery ShalonJoshua Samuel AaronZiv OrensteinAndrei Tyurin

On 2 October 2014, JPMorgan Chase — the largest bank in the United States — disclosed in a securities filing that attackers had compromised contact information for 76 million households and 7 million small businesses, totalling more than 83 million accounts. It remains one of the largest cyber intrusions ever into a U.S. financial institution.

What happened

The attackers gained their initial foothold around June 2014 by exploiting a server that had not been upgraded to require two-factor authentication. Most of JPMorgan's systems enforced multi-factor login, but this overlooked server let stolen credentials work with only a password. From there the intruders moved laterally and ultimately gained access to more than 90 servers inside the bank's network.

JPMorgan detected the intrusion in late July 2014 and contained it by mid-August, working with the FBI and U.S. Secret Service.

What was exposed

The stolen data was contact information rather than financial records:

  • Names
  • Email addresses
  • Postal addresses
  • Phone numbers
  • Internal JPMorgan information about the affected users

The bank stated there was no evidence that account numbers, passwords, Social Security numbers, or dates of birth had been compromised, and no evidence of fraud tied directly to the breach.

Attribution and prosecution

The intrusion was later linked to a sprawling criminal enterprise. In November 2015, U.S. prosecutors in the Southern District of New York indicted Gery Shalon, Joshua Samuel Aaron and Ziv Orenstein, describing it as the largest known theft of customer data from a U.S. financial institution. The scheme spanned stock-manipulation ("pump-and-dump") operations, illegal online gambling, and payment processing, using stolen contact lists to market manipulated securities. The alleged hacker who carried out the intrusions, Andrei Tyurin, was extradited in 2018 and sentenced to 12 years in prison in 2021; Shalon forfeited hundreds of millions of dollars.

Impact

While no direct financial theft from customer accounts was attributed to the breach, the scale alarmed regulators and the public, coming amid a wave of major U.S. breaches. JPMorgan publicly committed to doubling its annual cybersecurity budget from roughly $250 million to $500 million over the following years.

Why it matters

The JPMorgan breach is the canonical lesson that a single overlooked control can undo an otherwise strong security program. One server missing two-factor authentication gave attackers access to more than 90 systems at the best-resourced bank in the country. It cemented MFA-everywhere as a baseline expectation for financial institutions and demonstrated how stolen contact data can fuel large-scale financial-fraud and securities-manipulation schemes rather than only identity theft.

Timeline

  1. Attackers gain a foothold in JPMorgan's network via a server that had not been upgraded to require two-factor authentication.

  2. JPMorgan detects the intrusion in late July 2014 after attackers reach more than 90 servers.

  3. The bank contains the breach by mid-August and works with the FBI and U.S. Secret Service on the investigation.

  4. JPMorgan discloses in a securities filing that 76 million households and 7 million small businesses were affected.

  5. U.S. prosecutors indict Gery Shalon, Joshua Aaron and Ziv Orenstein, describing the largest known theft of customer data from a U.S. financial institution.

  6. Andrei Tyurin, the alleged hacker behind the intrusions, is extradited to the United States.

  7. Tyurin is sentenced to 12 years in prison for his role in the scheme.

Sources

  1. en.wikipedia.orghttps://en.wikipedia.org/wiki/2014_JPMorgan_Chase_data_breach
  2. washingtonpost.comhttps://www.washingtonpost.com/business/economy/jpmorgan-says-76-million-households-affected-by-cyber-breach/2014/10/02/4c18330a-4a79-11e4-a046-120a8a855cca_story.html
  3. justice.govhttps://www.justice.gov/usao-sdny/pr/three-defendants-charged-largest-known-data-breach-prosecution-ever
  4. npr.orghttps://www.npr.org/2014/10/03/353424613/jpmorgan-data-breach-exposes-millions-of-households

Related incidents

Data breachResolved

Heartland Payment Systems card breach

An SQL-injection foothold let Albert Gonzalez's crew plant sniffer malware inside Heartland's payment-processing network, capturing roughly 130 million card numbers in transit — at the time the largest card-data breach ever disclosed.

Victim
Heartland Payment Systems
Loss
$200.0M
Records
130.0M
Data breachResolved

BTC-E data breach (2014)

In October 2014, the Bitcoin exchange BTC-E was hacked and 568k accounts were exposed. The data included email and IP addresses, wallet balances and hashed passwords.

Victim
BTC-E
Records
568.3K
Data breachResolved

Banorte data breach (2014)

In August 2022, millions of records from Mexican bank "Banorte" were publicly dumped on a popular hacking forum including 2.1M unique email addresses, physical addresses, names, phone numbers, RFC (tax) numbers, genders and bank balances.

Victim
Banorte
Records
2.1M