It has become a familiar pattern: The computer system of a big American company is breached, the personal information of tens of millions of customers is stolen and a public outcry ensues. Rarely are the thieves caught.
But last summer's attack on JPMorgan Chase — which resulted in hackers gaining access to email addresses and phone numbers for 83 million households and small businesses — may break that pattern of investigative dead ends in large corporate breaches.
Federal authorities investigating the attack at JPMorgan are increasingly confident that a criminal case will be filed against the hackers in the coming months, said people briefed on the investigation. Law enforcement officials believe that several of the suspects are "gettable," meaning that they live in a country with which the United States has an extradition treaty. That would not include countries like Russia.
Indictments and arrests would be a notable victory for the Federal Bureau of Investigation and Preet Bharara, the United States attorney in Manhattan. In contrast, there have been no criminal charges in a December 2013 breach at Target, where payment card data for 40 million customers was stolen, along with the personal information of 70 million customers, or in the major attacks against eBay and Home Depot involving hundreds of millions more customers last year.
Although the breach at JPMorgan did not result in the loss of customer money or the theft of personal information, it was one of the largest such attacks against a bank and a warning sign that the American financial system was vulnerable.