Between June and August 2014, a sophisticated attack attributed to a Russian cybercriminal group compromised JPMorgan Chase’s internal network, gaining access to data for 76 million households and 7 million small businesses — the largest breach of a US financial institution in history. The attackers gained root-level access to over 90 servers. Contact information (names, addresses, phone numbers, email addresses) and internal JPMorgan Chase information about customers was stolen; account numbers, passwords, Social Security numbers, and dates of birth were not compromised. The attackers used an unpatched vulnerability on one of JPMorgan’s websites — a server that had not been upgraded to use two-factor authentication during a routine upgrade. JPMorgan disclosed the breach on 2 October 2014 in an SEC filing. The FBI investigated and subsequently charged four individuals — including Israel-based Gery Shalon, Ziv Orenstein, Joshua Aaron, and Anthony Murgio — in connection with the JPMorgan breach and an extensive scheme involving pump-and-dump stock fraud, an illegal Bitcoin exchange, and a casino operation. The attackers used stolen data to manipulate stock prices, profiting tens of millions of dollars. Charges were filed in 2015 and guilty pleas obtained in 2015-2017. The breach prompted significant Congressional scrutiny of financial institution cybersecurity.