Was Round 1 only a set-up?

Are the JPMorgan Hackers Just Hiding?

Katie Benner is a Bloomberg View columnist who writes about technology, innovation, and the cult and culture of Silicon Valley. She lives in San Francisco.
Read More.
a | A

When hackers broke into JPMorgan Chase's computer systems they nabbed name and contact information for 83 million households and small-business accounts.

But it seems like they didn't take more sensitive data like account numbers, passwords and Social Security numbers, the stuff that someone can use to steal your money or your identity. The bank says that the breach hasn't given way to an uptick in fraudulent activity.

This sounds like very good news -- burglars entered, looked around, took some family photos and left the cash and jewelry behind.

Unfortunately that's not quite how cyber breaches work. Talk to enough people in the security field and you'll hear some version of this story: Once the attackers knew they had been discovered, they went into hibernation for months or a year and then they started moving around and doing damage. It's more like the robbers hid when the cops arrived, only to emerge months later when you thought they were all gone.

QuickTake Internet Security

In the specific case of JPMorgan, the bank thinks it was infiltrated in June. By the time the breach was discovered in July, it was clear that hackers had "obtained the highest level of administrative privilege to dozens of the bank's computer servers," the New York Times notes in its very thorough account of the breach.

Despite this deep access, nothing valuable was taken.

Company security teams and consultants scour networks after a breach, but it's hard to do a perfect job. "When a year later the company discovers another breach, it's not unusual for them to discover that the infiltrators were laying low for months and that it's the same breach," says Matt Comyns, a search consultant who helps place security executives at big Fortune 500 companies. "The attackers sit dormant once they realize they've been discovered. They're patient as hell."

It will take JPMorgan months to deal with the break-in. And like all companies that have been targets of cyber-attacks -- Home Depot and T.J. Maxx, Target and Michaels -- it will be very hard to ferret out every back door left unlocked by the hackers to get back in.

This column does not necessarily reflect the opinion of Bloomberg View's editorial board or Bloomberg LP, its owners and investors.

To contact the editor on this story:
James Greiff at jgreiff@bloomberg.net