E*Trade, Dow Jones Issue Breach AlertsBreaches May Tie to Financial Services Hacking Campaign
Financial services firm E*Trade Financial and news and financial information publisher Dow Jones are separately warning their customers and subscribers that their personal information - and in some cases, payment card data - may have been compromised in a cyberattack campaign.
E*Trade has been notifying 31,000 customers that their personal information may have been breached, including names, plus email and physical addresses, The Washington Post first reported on Oct. 9, citing an email the firm has been sending to affected individuals.
Dow Jones, meanwhile, has issued a letter to subscribers warning that "out of an abundance of caution," it is warning all subscribers that for the past three years, attackers had been gaining "unauthorized access" to its systems and appeared to be attempting to exfiltrate contact information for its millions of current and former subscribers. But the company, which publishes The Wall Street Journal, says that "to date, our extensive review has not uncovered any direct evidence that information was stolen," aside from contact information and payment card data for about 3,500 people.
The breach notifications follow a similar warning issued earlier this month by discount stock brokerage firm Scottrade, which revealed that from late 2013 until early 2014, hackers had stolen personal information for 4.6 million of its clients (see Scottrade Belatedly Learns of Breach). As with E*Trade and Dow Jones, the firm said that it learned of the breach after being alerted by a law enforcement agency.
The FBI declined to comment about whether those breaches were perpetrated by the same group that has been tied to similar breaches involving JPMorgan Chase and Fidelity Investments, among other firms.
In the email sent to about 31,000 customers affected by its data breach, E*Trade warned that in late 2013, some of their personal information had been compromised by attackers, The Washington Post reports. But there is "no evidence that any sensitive customer account information, including passwords, Social Security numbers or financial information was compromised," the e-mail reportedly said. It added that there had been "no reports of financial fraud or loss resulting from this incident," and offered affected individuals one year of prepaid identity theft monitoring.
Officials at E*Trade did not immediately respond to a request for comment on that report. The report notes that the firm first learned of the hack attack in 2013, shortly after it occurred, but it concluded after an internal investigation that no customer information had been stolen. More recently, however, the firm reportedly received a warning from law enforcement agencies stating that customer information had, in fact, been breached.
Dow Jones Alert
Dow Jones CEO William Lewis, meanwhile, issued an Oct. 9 letter to customers warning them about the breach, which ran from August 2012 until July 2015. "We believe these unauthorized individuals were seeking contact information for as many current and former subscribers as possible," he says. As of August, Dow Jones reported having 2.4 million current subscribers globally - of which all but about 150,000 were located in the United States.
To date, the Dow Jones investigation has found that a small amount of personal information and payment card data was compromised. "As part of the investigation we determined that payment card and contact information for fewer than 3,500 individuals could have been accessed," Lewis says. "We sent those individuals a letter with more information about the free identity protection services we are offering. We take these matters seriously and value our relationship with our customers."
But Lewis adds: "To date ... our investigation has not uncovered any direct evidence that information was stolen, so it is not possible to identify the number of customers" whose personal information may have been exposed during the breach.
'Broader Campaign' At Work
Like E*Trade, Dow Jones reports that it has been working with law enforcement agencies. "We understand that this incident was likely part of a broader campaign involving a number of other victim companies and is part of an ongoing investigation," Lewis says. "It appears the goal of these hackers was to obtain customer contact information in order to send fraudulent solicitations," and had targeted subscribers' names, mailing addresses, email addresses and phone numbers.
The reference to a broader campaign appears to tie to a breach at JPMorgan Chase that was detected in June 2014 and disclosed by the financial services firm in October 2014. JPMorgan said the breach exposed information for 83 million households and small businesses (see Chase Breach Affects 76 Million Households).
In 2014, The Wall Street Journal reported that beyond JPMorgan, investigators believed that up to 12 other firms in the financial services sector had been targeted by the same group of hackers, including Fidelity Investments, E*Trade Financial, Citigroup, HSBC Holdings, Regions Financial and Automatic Data Processing, although many of the firms reported finding no evidence that customer data had been stolen (see Chase Breach: Who Else Was Attacked?).
Bank executives and senior U.S. government officials initially blamed that JPMorgan breach on the Russian government. But earlier this year, the Manhattan U.S. Attorney's office charged three men with running a pump-and-dump stock scheme that blasted out millions of spam emails per day, which was reportedly tied to the hacks of those financial services firms (see Report: Spammers Tied To JPMorgan Chase Hack).
A spokesman for the Manhattan U.S. Attorney's office wasn't immediately available to respond to related questions.