E*Trade, Dow Jones Issue Breach Alerts

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.databreachtoday.com/etrade-dow-jones-issue-breach-alerts-a-8586

Financial services firm E*Trade Financial and news and financial
information publisher Dow Jones are separately warning their customers and
subscribers that their personal information - and in some cases, payment
card data - may have been compromised in a cyberattack campaign.

E*Trade has been notifying 31,000 customers that their personal information
may have been breached, including names, plus email and physical addresses,
The Washington Post first reported on Oct. 9, citing an email the firm has
been sending to affected individuals.

Dow Jones, meanwhile, has issued a letter to subscribers warning that "out
of an abundance of caution," it is warning all subscribers that for the
past three years, attackers had been gaining "unauthorized access" to its
systems and appeared to be attempting to exfiltrate contact information for
its millions of current and former subscribers. But the company, which
publishes The Wall Street Journal, says that "to date, our extensive review
has not uncovered any direct evidence that information was stolen," aside
from contact information and payment card data for about 3,500 people.

The breach notifications follow a similar warning issued earlier this month
by discount stock brokerage firm Scottrade, which revealed that from late
2013 until early 2014, hackers had stolen personal information for 4.6
million of its clients (see Scottrade Belatedly Learns of Breach). As with
E*Trade and Dow Jones, the firm said that it learned of the breach after
being alerted by a law enforcement agency.

The FBI didn't immediately respond to a request for comment about whether
those breaches were perpetrated by the same group that has been tied to
similar breaches involving JPMorgan Chase and Fidelity Investments, among
other firms.

E*Trade Breach

In the email sent to about 31,000 customers affected by its data breach,
E*Trade warned that in late 2013, some of their personal information had
been compromised by attackers,The Washington Post reports. But there is "no
evidence that any sensitive customer account information, including
passwords, Social Security numbers or financial information was
compromised," the e-mail reportedly said. It added that there had been "no
reports of financial fraud or loss resulting from this incident," and
offered affected individuals one year of prepaid identity theft monitoring.

Officials at E*Trade did not immediately respond to a request for comment
on that report. The report notes that the firm first learned of the hack
attack in 2013, shortly after it occurred, but it concluded after an
internal investigation that no customer information had been stolen. More
recently, however, the firm reportedly received a warning from law
enforcement agencies stating that customer information had, in fact, been
breached.

Dow Jones Alert

Dow Jones CEO William Lewis, meanwhile, issued an Oct. 9 letter to
customers warning them about the breach, which ran from August 2012 until
July 2015. "We believe these unauthorized individuals were seeking contact
information for as many current and former subscribers as possible," he
says. As of August, Dow Jones reported having 2.4 million current
subscribers globally - of which all but about 150,000 were located in the
United States.

To date, the Dow Jones investigation has found that a small amount of
personal information and payment card data was compromised. "As part of the
investigation we determined that payment card and contact information for
fewer than 3,500 individuals could have been accessed," Lewis says. "We
sent those individuals a letter with more information about the free
identity protection services we are offering. We take these matters
seriously and value our relationship with our customers."

But Lewis adds: "To date ... our investigation has not uncovered any direct
evidence that information was stolen, so it is not possible to identify the
number of customers" whose personal information may have been exposed
during the breach.

'Broader Campaign' At Work

Like E*Trade, Dow Jones reports that it has been working with law
enforcement agencies. "We understand that this incident was likely part of
a broader campaign involving a number of other victim companies and is part
of an ongoing investigation," Lewis says. "It appears the goal of these
hackers was to obtain customer contact information in order to send
fraudulent solicitations," and had targeted subscribers' names, mailing
addresses, email addresses and phone numbers.

The reference to a broader campaign appears to tie to a breach at JPMorgan
Chase that was detected in June 2014 and disclosed by the financial
services firm in October 2014. JPMorgan said the breach exposed information
for 83 million households and small businesses (see Chase Breach Affects 76
Million Households).

In 2014, The Wall Street Journal reported that beyond JPMorgan,
investigators believed that up to 12 other firms in the financial services
sector had been targeted by the same group of hackers, including Fidelity
Investments, E*Trade Financial, Citigroup, HSBC Holdings, Regions Financial
and Automatic Data Processing, although many of the firms reported finding
no evidence that customer data had been stolen (see Chase Breach: Who Else
Was Attacked?).

Bank executives and senior U.S. government officials initially blamed that
JPMorgan breach on the Russian government. But earlier this year, the
Manhattan U.S. Attorney's office charged three men with running a
pump-and-dump stock scheme that blasted out millions of spam emails per
day, which was reportedly tied to the hacks of those financial services
firms (see Report: Spammers Tied To JPMorgan Chase Hack).

A spokesman for the Manhattan U.S. Attorney's office wasn't immediately
available to respond to related questions.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!