JPMorgan’s Form 8-K to Investors: We’ve Been Hack-Mapped!

EW-blog_JPM-5DayChart_03OCT2014JPMorgan’s Form 8-K filed on Thursday with the Securities and Exchange Commission advises:

On October 2, 2014, JPMorgan Chase & Co. (“JPMorgan Chase” or the “Firm”) updated information for its customers, on its and JPMorganOnline websites and on the Chase and J.P. Morgan mobile applications, about the previously disclosed cyberattack against the Firm. The Firm disclosed that:

• User contact information – name, address, phone number and email address – and internal JPMorgan Chase information relating to such users have been compromised.

• The compromised data impacts approximately 76 million households and 7 million small businesses.

• However, there is no evidence that account information for such affected customers – account numbers, passwords, user IDs, dates of birth or Social Security numbers – was compromised during this attack.

• As of such date, the Firm continues not to have seen any unusual customer fraud related to this incident.

• JPMorgan Chase customers are not liable for unauthorized transactions on their account that they promptly alert the Firm to.

The Firm continues to vigilantly monitor the situation and is continuing to investigate the matter. In addition, the Firm is fully cooperating with government agencies in connection with their investigations.

According to ZDNet, a forensic security firm suggests the bank’s users’ accounts are now at greater risk of compromise and that password changes and two-factor authentication should be implemented to address the risk.

However, the 8-K’s wording indicates a different security risk altogether as the users’ passwords and Social Security numbers are not compromised.

The disclosure of information compromised combined with earlier reporting about the breach more closely matches a description of that collected by National Security Agency’s TREASURE MAP intelligence collection program. TREASURE MAP gathered information about networks including nodes, but not data created by users at the end nodes of the network. The application delineated the path to the ends. and physical ends, not merely virtual ends of the network.

The items at risk according to JPMorgan’s filing are metadata components — name, address, phone number and email address. As the Guardian’s guide to metadata explains — beginning with telephone and cellphone numbers, and email addresses — the following additional metadata can be obtained with adequate access to JPMorgan’s servers and network:

Email metadata:

  • sender’s name, email and IP address
  • recipient’s name and email address
  • server transfer information
  • date, time and timezone
  • unique identifier of email and related emails
  • content type and encoding
  • mail client login records with IP address
  • mail client header formats
  • priority and categories
  • subject of email
  • status of the email
  • read receipt request

Cellphone metadata:

  • phone
  • phone number of every caller
  • unique serial numbers of phones involved
  • time of call
  • duration of call
  • location of each participant
  • telephone calling card numbers

All of this could be linked to a real name and a real, physical address also contained in JPMorgan’s affected database. With these items, an entity can begin to cross-match physical locations against behaviors.

Consider, too, that JPMorgan’s Form 8-K does NOT tell us definitively is whether information regarding assets in customer accounts has been breached as well. However, the 8-K says, “internal JPMorgan Chase information relating to such users” has been compromised; does this mean that not only value of assets, but types of assets and transaction records have been accessed?

Imagine being able to select specific customers, locating them physically, and then narrowing targeting even further based on their asset types or value.

What could be done with this information? Let’s speculate on applications:

— Customers holding specific assets or majority positions can be monitored for potential trading activity, so that trades can be front-run ahead of a major ownership or market position change;

— Identified customers can be physically threatened about assets in their holdings, or about activity that may affect a market;

— Information about customers’ positions can be used to damage markets and inflict economic injury to individuals or groups of people.

– At volume, information about cash flows of ALL customers in aggregate could be used for front-running.

There are other potential uses for such information if one continues this line of speculation.

Clearly JPMorgan felt there was a material risk to investors obligating them to file a Form 8-K — not every publicly-held corporation’s security breach has been reported, in contrast. Target, Home Depot, even NASDAQ cyber security breaches are examples in which the firm did not generate 8-K reports.

While a handful of other major firms now publish Form 8-K notifications of major breaches, JPMorgan has not previously done so. This cannot possibly be the first or only cyber security breach this financial institution has faced. What makes a critical difference is that this breach poses a threat of unknown nature and magnitude; no evidence of fraud or unauthorized activity has been detected, but the potential damage to investors may happen outside JPMorgan accounts, to markets as a whole, impacting holders of JPMorgan’s stock (NYSE:JPM) as well as its customers.

Does the nature of this breach as an intelligence gathering operation pose such a threat to its investors that JPMorgan had no choice but to make this disclosure?

And what does the pattern of JPMorgan’s customers’ asset and cash flows look like in the wake of this 8-K?

It’s worth noting, too, the change JPMorgan’s stock valuation during the period following issuance of their dividend and the release of the Form 8-K before Friday morning. What shifted the stock back up more than a dollar per share?

18 replies
  1. emptywheel says:

    Though I will say — and this could either support your point or not — I do think JPMC cooperated their way out of a pickle back with the Scary Iran Plot, and so I wouldn’t be surprised if they were serving as an asset of sorts.

    • Rayne says:

      Oh, go one further…What if the 8-K notice was intended to flush out certain kinds of behavior, identifying government targets?

      [I already assume JPM is an asset, just as any overly-large US corporation operating with a bare minimum of oversight must be. In an economic system built to support business (and not citizens), corporations become the state.]

      • emptywheel says:

        Like what? Market trading?

        By asset, I think they — and Citi, though for different reasons — are assets of the type Chiquita became when it was in trouble for materially supporting terrorism in (what was it?) 2004.

        • Rayne says:

          Market trading, like betting against deep state activity in a fashion that might be construed as predictive…or simply taking large positions contrary to deep state’s long-term interests, such that positions move a market.

          I’ve always thought the biggest of TBTF including JPM were assets a la Prince’s Blackwater–not necessarily like the compromised Chiquita. Useful tools aware of their status and utility, willing to perform as long as profit was assured.

  2. P J Evans says:

    What shifted the stock back up more than a dollar per share?

    A reassurance from the government via JPM to major Wall Street firms *cough*Goldman Sachs*cough* that JPM was safe?

    • Rayne says:

      LOL! I like the timing of this 8-K, masked somewhat by the dividend paid out the same day…and one week after the report on whistleblower tapes of the Fed Reserve.

  3. Phil Perspective says:

    The disclosure of information compromised combined with earlier reporting about the breach more closely matches a description of that collected by National Security Agency’s TREASURE MAP intelligence collection program.

    Are you trying to imply that the NSA might be trying to drum up business for its former Star Trek-loving director?

  4. x174 says:

    m–l really liked this post. it has the rubber meets the road feel to it. I.e., how might a 215 breach be used to maximum effect? the real wonder of the piece is your insight that there is possibly a connection to treasuremap. also,one can sense a noticeably bad taste-in-the-mouth when the reality of the problem and the enormously negative consequences that the long-term insidiousness of Not a Secret Agency could have (and have had) on anyone, anywhere anytime. thanks for the great counter-sleuthing!

  5. galljdaj says:

    My list of possible villains that are likely to be ‘guilty’ is short and dirty and completely without respect for ‘rule of law’… . #1 US Govt via NSA and/or FBI.

    I hear more ‘targeting’ and using data ‘mining’ going on. What are ‘skills’ for if not to be used!

  6. TarheelDem says:

    Stock shift might be a result of the illusion that the 8-K filing means that the risk to JPMorganChase is now known, calculatable, and discountable in pricing. And then amplified by program trading.

    • Rayne says:

      I tend to think program buying, but who wrote the terms? There’s a historic trend to sell mid-September and buy in mid-October–more specifically tracking Jewish holidays Rosh Hashanah and Yom Kippur.

      Did an algo kick off the buying on Friday, on which Yom Kippur began?

      It’d be a nifty way to ensure an obscure payback to an asset…

      (Yuck…I’m having problems with using the comments this morning—you didn’t imagine it if you think you’ve seen this comment previously. Needed a big Pink Pearl eraser.)

  7. Teddy says:

    Just found out my mom’s JPMorganChase VISA card account had fraudulent charges in August (from checking the bill) and September (from the JPMC fraud folks reading me every single charge). Someone got ahold of her credit card account number to pay their Comcast bill in Florida, and yet the JPMC fraud-“detection” system we pay extra for never noticed these charges, despite interrogating mom and me whenever I use her card for travel to visit her in Virginia.

    Check your bills carefully; this came at a busy high-purchase time (during my visit to her late August/early September) so I only spotted the charges because I was fine-toothing the bill.

  8. spocko says:

    Thanks Rayne, great post. Very interesting. I read the SEC note, but I didn’t read the 8-K. It’s funny, but one of the questions that I asked the CFPB was “Who requires that they report this information, what are their rules, are they following them?

    There are so many parts of that announcement on Oct. 3 that just seem bizarre to me. Part of it was just how it was covered. One of the problems feels like nobody wanted to call out Chase for their failure. They were all falling all over themselves to talk about how clever these people where. They admire them! And I think there was also, “Those foreigners are messing with our bank!” USA USA!

    So they find out it is the NSA doing it, would they tell us about it? What if there were more than one hacker? The NSA and an outside entity?
    One story I read talked about how all these security professionals left earlier, but one of the weaknesses was the third party software.

    And there are so many zero exploits that the NSA held onto (so they could use them) that it made all the systems vulnerable.

    I read a couple of technical articles, — I’m technical enough to follow along — and one of the things they don’t mention is their discussions with the government beyond the FBI. Something like this would bring in US Cyber Command, NSA experts, State and Treasury. Do they need to reveal this to us?
    Has anyone even asked?

  9. x174 says:

    thanks for the interesting work Rayne. i think that any concentrated attention of JPMC and their possible interrelations with the government should be examined and closely scrutinized. yesterday i looked at a JPMC pdf describing their history and it was nothing but misdirection ( the document claimed that JPMC began in 1799. JPM & Co began in 1895 after Anthony Drexel died in December 1893. Technically, it could be argued that its history began in 1871 with the formation of Drexel, Morgan Co.

    i am curious: does anyone know how to get reliable historical documents describing JPM&Co annual earnings from 1895 to the present?

Comments are closed.