JPMorgan found breach through Corporate Challenge site

JPMorgan discovered the hack of 83 million customer records through the website for a corporate event that the firm sponsors.

The hackers who stole contact information for 76 million households and 7 million small businesses were discovered because the intruders had breached the bank's Corporate Challenge website using some of the same offshore servers.

It is unclear when the bank would have discovered the breach had the hackers not used the same IP addresses to launch attacks on both the bank and the Corporate Challenge website. 

The breach was part of a repository of a billion stolen passwords and usernames from some 420,000 websites that a Milwaukee-based security consulting firm, Hold Security, had traced to a gang of Russian hackers.

Further investigation by Hold and JPMorgan security specialists revealed that in April the hackers had obtained the website certificate for the Corporate Challenge site's vendor, Simmco Data Systems, allowing hackers access to any communications between visitors and the website, including passwords and email addresses.

Hold Security began informing its clients of the breach around August, and JPMorgan officials then told Simmco Data. The bank also looked at traffic on its own network and discovered the same hackers had breached that system.

The hackers had originally gained access to the bank's network by compromising the computer an employee with special privileges had used both at work and at home and then moved across the bank's network to access contact data.

The Corporate Challenge website was later taken offline after the hacking of the site was discovered, the Journal reported, but the site was restored by the bank ahead of upcoming races in Shanghai and Singapore, although payments have been moved to a Chase website. 

Officials at JPMorgan were not available for comment.