By Jim Finkle
BOSTON (Reuters) - The 83 million customer records that hackers stole from JPMorgan Chase & Co <JPM.N> could fuel years of fraud, as criminals use the information to "phish" for customer passwords and ferret out other accounts that consumers may have, cybercrime researchers said on Friday.
The No. 1 U.S. bank by assets said on Thursday in a regulatory filing that customer names, addresses, phone numbers and email addresses were taken in the attack that the bank said surfaced in August. It added that it was continuing to investigate the matter and that customers would not be liable for any unauthorized transactions that were promptly reported to the bank.
The bank said it has not seen any rise in fraud in the wake of the discoveries, but security researchers said the information that hackers stole, such as addresses, tends to change relatively slowly, which gives criminals a long time to use it.
Their first step will likely be to use the information to send emails to customers purporting to be from JPMorgan Chase. Links embedded in those emails could be used to con customers out of their passwords, a practice known as "phishing."
"Hackers might send out emails saying 'Your JPMorgan Chase account has been breached, please log into our portal and enter your information,'" said Alex Holden, chief executive of Hold Security, a cyber security firm that monitors trade in stolen credentials.
The bank's letter to account holders on its website mid-day on Friday made no mention of "phishing", but it linked to a "frequently asked questions" document whose last answer warned about "phishing". JPMorgan spokeswoman Patricia Wexler said the bank is making the warning more prominent on its website.
"The risk is phishing" Wexler said, adding that people should be on the lookout. She said that there is no evidence that account numbers, passwords, user IDs, birthdays, or Social Security numbers were taken.
The stolen data is likely to end up being sold on underground cybercrime exchanges to fraudsters who will use it for "phishing" and other schemes. Holden said it is likely to be broken up into groups based on categories such as zip codes, with wealthy demographics going for higher rates. He estimates that lots of varying sizes would sell for between $1,000 and $15,000, with each of them being resold multiple times.
Such information can be used to craft "phishing" emails to seek other types of online accounts, beyond the initial firm that was breached, particularly when combined with personal details from social networking sites such as Facebook <FB.O>, Google <GOOGL.O>, LinkedIn <LNKD.N> and Twitter <TWTR.N>, security researchers warned. Details from social media profiles can provide criminals with rich information that they can use to craft convincing "phishing" emails, including information about family, friends, education and work.
"Social media helps the criminals pursue their trade," said Mark Rowley, assistant commissioner for specialist operations for London's Metropolitan Police.
JPMorgan's Wexler said that the bank is not offering credit monitoring to its customers because no financial information, account data or personally identifiable information was compromised.
JPMorgan disclosed at the end of August that it suspected it had been the victim of a cyber attack, and said it had hired outside forensics experts to help it investigate the matter, which law enforcement is also probing.
In a letter to investors in April, JPMorgan Chase Chairman and Chief Executive Jamie Dimon told investors that the bank expects to spend more than $250 million on cybersecurity this year, with about 1,000 people focused on the area. The bank's efforts will grow exponentially in the coming years, he added.
(Additional reporting by Eric Auchard and Steve Slater in London and David Henry in New York; Editing by Dan Wilchins and Bernard Orr)