Three charged for largest-ever bank data breach

Last Updated Nov 10, 2015 6:05 PM EST

NEW YORK - Federal authorities in New York City say three people have been charged in the largest theft of consumer data from a U.S. financial institution in history.

Authorities say the probe resulted from a huge cyberattack against JPMorgan Chase, the nation's biggest bank by assets.

According to the indictment, the men stole customer records of more than 83 million customers of JPMorgan Chase & Co. from June 2014 to August 2014. The court papers said identifying information on millions of other people was stolen in cyberattacks from 2012 to last summer against several other financial institutions, financial services corporations and financial news publishers.

Charged in the indictment were Gery Shalon, Ziv Orenstein and Joshua Samuel Aaron. All three men were charged in July with related crimes, though the hacking crimes were not specified then. CBS News' Paula Reid reports two of the defendants, Gery Shalon and Ziv Orenstein, were arrested in Israel and are awaiting extradition.

According to prosecutors, and reported by CBS News justice and homeland security correspondent Jeff Pegues, here's how it worked:

Over three years, the hackers bought penny stocks and drove up their prices. They then sent spam emails to the customers whose data was stolen, encouraging them to buy those stocks. When the prices went up, the suspects cashed out leaving investors with significant losses.

It worked so well, Shalon allegedly bragged about it in emails contained in the court papers. When asked by an accomplice if it was easy to get Americans to buy stocks he replied: "It's like drinking freaking vodka in Russia."

In addition to the cyberattack on JPMorgan, other companies have come forward and admitted they were targeted by the group. Scottrade and Dow Jones have both stated recently they were among the victims of the group.

The indictment said one or more of the defendants also engaged in other criminal schemes since 2007, including U.S. securities market manipulation schemes and the operation of at least a dozen Internet casinos that violated U.S. laws.

Joshua Samuel Aaron

Joshua Samuel Aaron

FBI

The indictment said some of the massive computer hacks and cyberattacks occurred as the men sought to steal the customer base of competing Internet gambling businesses or to secretly review executives' emails in a quest to cripple their rivals.

Officials say the group used the information to target individuals for various fraudulent stock selling schemes, which is how they made money. They operated out of Israel, Russia, and the U.S. The group also is accused of operating illegal gambling schemes from 2001-2015. They hacked other gambling businesses to steal customer information and shut down those sites.

Additionally, at least one of the defendants also ran an unlawful bitcoin exchange.

Authorities said Aaron, a U.S. citizen believed to be residing in Moscow and Israel, was a fugitive.

U.S. Attorney Preet Bharara plans to discuss more about the case at a news conference.