NEW YORK — The hackers who breached JPMorgan Chase’s systems last year were involved in a widespread scheme that targeted 14 other companies, including a Boston-based mutual fund firm, several online brokerages and The Wall Street Journal.
The hackers pulled off the “largest theft of customer data from a U.S. financial institution in history,” stealing personal information of more than 100 million people — including more than 80 million from one financial institution alone, according to Manhattan U.S. Attorney Preet Bharara’s office.
At a press conference Tuesday, Bharara described the data breach as “breathtaking in its scope and its size,” saying the hacking was done to support a series of stock-manipulation schemes, as well as gambling and payment-processing schemes.
Prosecutors declined to name the firms targeted, but several companies came forward Tuesday to claim their part in the investigation, including JPMorgan, TD Ameritrade and online brokerage Scottrade.
JPMorgan Chase spokeswoman Patricia Wexler confirmed that the bank was one of the 15 victims identified in the indictment, unsealed Tuesday. In its 2014 data breach — the largest financial hack in history — close to 76 million households and 83 million customers were affected over a two-month period.
JPMorgan’s customers, therefore, made up more than 80% of 100 million people who had their data stolen across the 15 firms.
“We appreciate the strong partnership with law enforcement in bringing the criminals to justice,” JPMorgan said in an emailed statement. “As we did here, we continue to cooperate with law enforcement in fighting cybercrime.”
Kim Hillyer, a spokeswoman with TD Ameritrade, confirmed that TD was the Omaha-based online brokerage identified in the complaint and said TD continues to cooperate with investigators. The hackers failed to breach TD’s system, according to the complaint, and there is no evidence its customers were affected, Hillyer said.
Ashley Huston, a spokeswoman for News Corp.’s Dow Jones unit, also confirmed that the charges announced by Bharara’s office were also tied to its data breach, announced in October.
Last month, several business publications owned Rupert Murdoch’s News Corp., including The Wall Street Journal and Barron’s, said they found evidence of hacking to their systems going as far back as 2012.
“The government’s investigation is ongoing, and we continue to cooperate with law enforcement,” Dow Jones said in an emailed statement.
Other victims include “one of the world’s largest financial services corporations, providing mutual fund” services in Boston.
Mutual fund giant Fidelity issued a statement to USA TODAY that said its customers were not affected by the breach but declined, through a spokesman, to respond to questions about whether it was the Boston-based victim identified in the indictment.
“We have confirmed with the FBI that there is no indication that our customers were affected,” Fidelity said in the statement.
Online brokerage firm Scottrade of St. Louis also was targeted. The firm continues “to work closely with the authorities by providing any and all information and resources we can to support their investigation and prosecution of the criminals,” a spokeswoman said.
Two software developers were hit, as well as what prosecutors described as a financial news publication in Baltimore.
The indictment named the alleged hackers as Gery Shalon of Israel, Joshua Samuel Aaron, a U.S. citizen, and Ziv Orenstein, also of Israel. Shalon and Orenstein were arrested in Israel in July. They were reportedly linked to the JPMorgan hack at the time, but the allegations were not made official until this week.
Aaron, who is believed to be in Eastern Europe, remains at large and is wanted by the FBI.
Bitcoin operator Anthony Murgio of Florida was also tied to the alleged scheme but charged in a separate indictment for running an unlicensed money transmitting business.
Murgio ran Coin.mx, which Shalon owned and controlled, prosecutors said. He is scheduled to be arraigned before Judge Alison Nathan, also of the Southern District of New York.
Shalon, Orenstein and Aaron were accused of pursuing the widespread cybercrime to support their other criminal enterprises, including a pump-and-dump stock scheme.
The hacks occurred between 2012 to mid-2015, but the men were also accused to criminal activity going back to 2007 that earned them hundreds of millions of dollars in illicit profits.
Bharara said the hackers managed bank and brokerage accounts used to further their money-making schemes based on aliases supported by false passports and other false personal identification information.
The alleged conduct “signals the next frontier in securities fraud,” wherein hackers steal non-public information to help fuel a larger criminal enterprise, Bharara said. He used the event Tuesday to plead with other hacking victims to work with law enforcement.
“The best bet to identify, stop and punish cybercriminals is to work closely, and early, with law enforcement,” Bharara said. “That happened here, and today’s charges are proof of that.”
But also Bharara said the criminal allegations show that “companies need to do a better job of protecting all the information they have.”
Follow USA TODAY business reporter Kaja Whitehouse on Twitter @kajawhitehouse
Read or Share this story: http://usat.ly/1NHCfGY