The Department of Justice this week announced that it had unsealed charges against Gery Shalon, Joshua Samuel Aaron, and Ziv Orenstein for allegedly "orchestrating massive computer hacking crimes against U.S. financial institutions, brokerage firms, and financial news publishers, including the largest theft of customer data from a U.S. financial institution in history." The charges relate to the widely reported August 2014 announcement by JP Morgan and October 2015 announcement by Dow Jones that they were the victims of a cyberattack. Shalon and Orenstein were arrested by Israeli authorities in July and are currently awaiting extradition, while Aaron remains at large.
The indictment provided additional insight into the breadth of the attacks. Though the indictment did not name the twelve victims, it provided descriptions, including "one of the world's largest financial institutions, with headquarters in New York, New York," "one of the world's largest financial services corporations, providing mutual fund, online stock brokerage and other services, headquartered in Boston, Massachusetts," and four online brokerages. According to USA Today, Scottrade and TD Ameritrade confirmed that they were victims, though a spokesman for TD Ameritrade said that there is no evidence that customer information was compromised. The article reported that Fidelity released a statement that its customers were not affected by the attack, but declined to answer whether it was the Boston financial services corporation identified.
The release stated that the attacks started sometime in 2012 and lasted until August 2014 and compromised the information of over 100 million people, and that the hackers used the personal information in furtherance of a "pump and dump" scheme. Manhattan U.S. Attorney Preet Bharara said that the hackers sought nonpublic information in the attacks and "generated hundreds of millions of dollars in illicit proceeds." The indictment indicates that the hackers gained access through customer-facing online account access and through a vulnerability known as "heartbleed," among other methods.
Attorney General Loretta Lynch thanked the victims of the attack for coming forward to cooperate with authorities. She noted that "[i]n an age when enormous quantities of vital information are stored in digital format on potentially vulnerable Internet-connected devices, public-private partnerships and information-sharing are more critical than ever." Bharara argued that even sophisticated companies are at risk and that "[t]he best bet to identify, stop and punish cybercriminals is to work closely, and early, with law enforcement."