Business

Charges brought in largest US financial cyber-hacking

JP Morgan Image copyright Getty Images
Image caption JP Morgan is among several financial institutions affected by large hacking of customer data

Prosecutors have charged three men relating to the largest cyber-attack of financial firms in US history.

Personal information for 100 million people was accessed by cyber-thieves between 2012 and the summer of 2015.

At a press conference on Tuesday, US federal prosecutor Preet Bharara called the scheme "securities fraud on cyber-steroids".

Twelve institutions were victims of the hacking, including JPMorgan, and asset manager Fidelity.

US prosecutors said they were expanding charges against two Israeli men, Gery Shalon and Ziv Orenstein, as well as a US citizen, Joshua Samuel Aaron.

Charges against the three men were expanded to include computer hacking and identity theft among 21 other counts.

'Criminal conglomerate'

"The charged crimes showcase a brave new world of hacking for profit," said Preet Bharara the lead prosecutor on the case.

"It is no longer hacking merely for a quick payout, but hacking to support a diversified criminal conglomerate," he said.

Mr Aaron, 31, was a fugitive and believed to be living in Moscow.

Mr Shalon, 31, and Mr Orenstein, 40, are in custody in Israel, where their lawyers couldn't immediately be reached for comment.

The men allegedly manipulated stock prices by selling shares of companies to individuals whose contact information they had stolen. They then dumped their own shares, causing the price to fall.

The men were also charged with running an illegal payment processing business that they used to collect $18m (£11.9m) in fees.

Prosecutors claim the men hacked into competitors' systems to spy on them and then hacked into a credit card company investigating their payment processing business in order to avoid detection.

Analysis: Dave Lee, North America technology reporter

This is how prosecutors say they did it.

The hacking technique often involved using legitimate accounts belonging to Joshua Aaron.

Using this legitimate access, as if Mr Aaron was a normal customer, paved the way for the hackers to gain access to networks and systems containing reams of data about other customers - people who were investing in stocks.

Over the course of several years, they stole personal data on more than 100m people.

The hackers didn't access bank details. They didn't need nor want them.

Investigators said the hackers used the personal details to send out information to bosses' email addresses, promoting certain stocks that hackers had bought cheap. The price would rise, and the hackers will then sell off their now very valuable shares.

It's a technique known as "pump and dump".

Separate charges have also been brought against a Florida man, Anthony Murgio, who operated a unlicensed digital currency service and had previously been linked to the breach at JPMorgan.

The US Securities and Exchange Commission had already filed civil charges related to securities fraud against Mr Shalon, Mr Aaron and Mr Orenstein.

The company hit hardest by the breach was JPMorgan. More than 83 million of the bank's customers had data stolen in the breach.

At Tuesday's press conference, US Attorney General Loretta Lynch thanked the institutions involved for coming forward to report the hacking allowing prosecutors to pursue criminal charges.

"In an age when enormous quantities of vital information are stored in digital format on potentially vulnerable Internet-connected devices, public-private partnerships and information-sharing are more critical than ever," Ms Lynch said.

More on this story