As hackers pierced JPMorgan Chase & Co.’s defenses in June, the bank’s cybersecurity chief was just getting acquainted with his employer and its sprawling technology infrastructure.
Greg Rattray, a former U.S. Air Force commander for information warfare, became JPMorgan’s head of information security that month after upheaval at the highest levels of the bank’s tech division. His predecessor, Anthony Belfiore, had resigned early this year to join at least five JPMorgan leaders at First Data Corp. In between, Anish Bhimani was acting security officer while holding at least one other tech role.
“It sucks that this happened at the beginning of Greg’s watch, but this is a legacy issue,” said Tom Kellermann, chief cybersecurity officer at anti-virus software firm Trend Micro Inc. “They had an acting person who was juggling way too much, with no one fully dedicated to the role for a bit of time.”
JPMorgan, led by Chief Executive Officer Jamie Dimon, 58, has rushed to determine the scope of the assault and restore confidence in security at the biggest U.S. lender. While hackers targeted other banks’ systems, JPMorgan is the only bank said to have had gigabytes of data stolen, including information on customer accounts.
The breach went undetected until mid-August, months after hackers initially exploited a flaw in the company’s website to gain entry to internal systems, people familiar with the firm’s review have said. Investigators believe the stolen files ended up in a Russian data center, the people said.
The bank hasn’t seen elevated levels of fraud, said Patricia Wexler, a JPMorgan spokeswoman. She declined to comment further or make Rattray, 51, available for an interview.
The breach contrasts with the company’s performance in late 2012, when a group attacked the biggest U.S. banks. In that episode, JPMorgan’s website ran more reliably as rivals including Bank of America Corp. suffered repeat outages.
JPMorgan’s technology leaders began leaving after April 2013, when the bank’s co-chief operating officer, Frank Bisignano, 55, departed to become CEO of First Data, the Atlanta-based payment processor. He has known Dimon since the 1980s, serving as his longtime deputy. Bisignano’s last job at JPMorgan included a focus on technology and security.
He was joined a few months later by Guy Chiarello, JPMorgan’s chief information officer since 2007, who became First Data’s president. Chiarello is an industry veteran who was previously CIO at Morgan Stanley, where he spent more than two decades.
Tom Higgins, JPMorgan’s head of operational control in charge of physical and technology security, also joined First Data. So did Cindy Armine, JPMorgan’s compliance chief, and Christine Larsen, a JPMorgan executive vice president in charge of process improvement and enterprise-program management.
First Data agreed in January to pay JPMorgan less than $10 million to resolve claims that Bisignano violated an employment contract by poaching bank executives.
Belfiore, who rose to cybersecurity chief during almost five years at JPMorgan, joined First Data in March. That same month, Paul McEwen, JPMorgan’s chief technology officer of client technology services, joined UBS AG.
It’s impossible to prevent all cyber-attacks because banks have consumer-facing websites and hundreds of thousands of personnel, all acting as potential pathways for hackers, so lenders focus on quickly spotting intrusions and mitigating the damage afterward, said a person with knowledge of the matter.
The departures meant that executives with intimate knowledge of JPMorgan’s systems, which use thousands of proprietary software programs and hundreds of thousands of desktop computers and servers, were gone, hampering the bank’s response, the person said.
“With an organization that size, the first thing Greg’s doing is taking inventory on what kind of security, controls and people he has,” said Kellermann, who said he’s confident Rattray is fixing the breach. “He’s not doing a deep dive about ‘what the hell is inside of us?’”
The new JPMorgan technology team hails from industries apart from finance. Dana Deasy, named chief information officer in October, was previously a CIO at BP Plc, the London-based oil producer.
Before joining JPMorgan, Rattray spent seven years at a risk-management consulting firm he co-founded and at least two years in the Air Force, according to his LinkedIn profile. He graduated from the U.S. Air Force Academy in 1984 and was a senior adviser to the Financial Services Roundtable, a Washington-based industry group.
“This is a gentleman who was at the forefront of defending attacks against the U.S. Air Force,” said Art Ehuan, managing director at Alvarez & Marsal, a professional services advisory firm. “He has some very powerful relationships and can reach many layers of government for assistance, especially on international-related attacks.”