By Devlin Barrett, Emily Glazer and Kirsten Grind
Federal investigators believe the same hackers who stole data
from J.P. Morgan Chase & Co. computers this summer also plucked
some information from Fidelity Investments, according to people
close to the case.
It is unclear which Fidelity networks were infiltrated or what
types of data were taken from the company, one of the nation's
largest investment firms, but so far, authorities don't believe the
breach compromised account information or was on the same scale as
the customer-contact information taken from J.P. Morgan, the people
said.
Investigators have said at least 13 companies were targeted by
the unknown hackers, making it one of the most significant
cyberattacks disclosed in the U.S. To date, only J.P. Morgan and
Fidelity are known to have had data stolen. An unspecified number
of the companies' systems had some contact from computer addresses
linked to the hackers but didn't lose any data, according to people
close to the investigation.
Fidelity is one of the largest mutual-fund firms in the U.S.,
with $1.7 trillion in assets under management. The privately held
company that grew in prominence during the stock-market boom of the
1980s and 1990s also operates a large brokerage and is one of the
biggest providers of retirement services such as 401(k) plans.
A Fidelity spokesman said the company "continues to deploy
multiple layers of security to help protect the privacy of our
customers. Through our continued cooperation with law enforcement
officials, we can reiterate and have confirmed with the FBI that
there is no indication Fidelity customer accounts, information,
services or systems were affected by the recent attack that
impacted [J.P. Morgan]."
It remains unknown who is behind the incident that now appears
to have victimized two of the largest financial firms in the U.S.
Several people close to the investigations see ties to
Russian-speaking cybercriminals. However, it is unclear where the
alleged hackers are exactly, people close to the investigation
said.
The move comes as investigators continue to probe what happened
in a summer cyberattack that took contact information for 76
million households from J.P. Morgan and has shaken confidence in
the security of the nation's financial firms.
The breach also affected seven million small businesses that do
business with J.P. Morgan. No sensitive account information, such
as passwords or Social Security numbers, was taken, the bank has
said, but contact information such as e-mails were pilfered,
raising the possibility that some customers will be exposed to sham
emails.
A variety of regulators and prosecutors are investigating or
examining the matter, including the Federal Bureau of
Investigation, National Security Agency, Department of Homeland
Security, U.S. attorney's office in Manhattan and New York's
Department of Financial Services.
Some state attorneys general are also in discussions to form a
multistate group to examine J.P. Morgan's cyberattack this summer,
people familiar with the matter said.
Offices of attorneys general including those in California,
Rhode Island, Connecticut and Illinois are in discussions to join
together and examine whether J.P. Morgan, and possibly other
financial institutions, followed state disclosure laws on data
breaches, these people said.
They also are discussing the possibility of examining who hacked
J.P. Morgan and others that may have been affected by the recent
breach, these people said. The group also may look at what
information was taken, these people added.
A J.P. Morgan spokeswoman said the bank communicated with
customers three times to provide details about the cyberattack. She
said the firm waited until it had gathered more facts to give
detailed disclosure and it wasn't required to notify customers in
the first place, given that the breach dealt only with contact
information, not sensitive financial information.
Rhode Island Attorney General Peter F. Kilmartin said in a
Monday news release that his office sent a letter to J.P. Morgan
asking for additional information about the breach and if it would
affect Rhode Island consumers. "The scope of this breach is of
great concern," he said in the news release.
The office of Connecticut Attorney General George Jepsen has
been in contact with the bank regarding the cyberattack since the
bank's disclosure earlier this year, a spokeswoman for the attorney
general said. She declined to provide further detail, saying it was
a pending matter. Illinois Attorney General Lisa Madigan also is
looking into the breach. In a statement, Ms. Madigan said that the
cyberattack is among the most "troubling" breaches because it shows
how vulnerable U.S. institutions and their databases are.
The Wall Street Journal reported Wednesday that investigators
believe the hackers that broke into J.P. Morgan targeted at least
12 other financial-services companies, including Fidelity and
E*Trade Financial Corp., people familiar with the matter have said.
Besides Fidelity and J.P. Morgan, it's unclear if any other firms
had information taken.
Fidelity, the mutual-fund shop that made investor Peter Lynch
famous, has broadened out its business in recent years. The company
now has about 69 million customer accounts, and its website notes
that 20,000 businesses use Fidelity to manage employee-benefit
programs.
Write to Emily Glazer at emily.glazer@wsj.com
Subscribe to WSJ: http://online.wsj.com?mod=djnwires