JPMorgan Chase 2014
One server without two-factor authentication exposed contact data for 76 million households — and turned out to be the front end of a years-long securities fraud.
In October 2014, JPMorgan Chase disclosed that attackers had accessed contact information — names, addresses, phone numbers, email addresses — for roughly seventy-six million households and seven million small businesses. No money was reported stolen and no account credentials or Social Security numbers were said to be taken. The numbers alone made it one of the largest financial-sector breaches on record.
A single overlooked server
The intrusion was traced to a server that had not been upgraded to require two-factor authentication. The attackers obtained an employee's credentials, used them on the unprotected server, and from there navigated to dozens of internal systems over a period of months before being detected. The contrast — a bank that spent hundreds of millions on security undone by one box missing one control — became the durable headline.
Not just a breach
What distinguished JPMorgan 2014 was what came after. US prosecutors revealed the breach was one component of a sprawling criminal enterprise run by Gery Shalon and associates: pump-and-dump stock manipulation, illegal online gambling, and unlicensed payment processing. The stolen contact data was raw material for stock-touting spam aimed at the very customers whose details had been taken. It reframed the breach from espionage or card theft into market manipulation infrastructure.
What the chronicle remembers
JPMorgan 2014 is the case that fused data breach and securities fraud into a single narrative. It also became the standing example for the "one server without MFA" failure mode — cited in board decks for a decade as the reason credential controls cannot be applied to most systems but not all.