The website for the JPMorgan Chase Corporate Challenge, which was hit by the same hackers that broke into the bank’s own network this summer, is slowly crawling back to health.
Earlier this week, the small Michigan firm that manages the Corporate Challenge website repaired what it believed was the last potential security flaw with the website, said an executive with the vendor, Simmco Data Systems.
David Simms, Simmco’s president, said that the firm replaced a potentially compromised certificate for the website after confirming a report in The New York Times last week that the Corporate Challenge website might still have an outstanding security flaw.
Certificates guarantee the identity of a website to a visitor’s web browser. Using a stolen certificate, hackers can intercept any communications between a visitor and a website, including passwords.
The website for the Corporate Challenge, a series of races that JPMorgan sponsors in cities around the globe to raise money for charity, has been largely inoperable since Aug. 7. The discovery that overseas hackers had infiltrated the website helped JPMorgan discover that the same gang of cyber criminals also had breached the bank’s vast network.
It is not clear why the potential problem with the website certificate was fixed only in the past few days. A JPMorgan spokeswoman declined to comment.
In early August, JPMorgan learned the Corporate Challenge website may have been breached because of information gathered by Hold Security, a Milwaukee security consulting firm. Hold Security found that a gang of hackers believed to be from Russia had obtained some passwords and email addresses used by race participants, who had registered on the Corporate Challenge website.
JPMorgan eventually found that the same hacker who broke into the Corporate Challenge website had gotten into the bank’s network. The bank’s security team determined that by finding the same suspicious Internet addresses on the Corporate Challenge’s server on some of the bank’s own servers as well.
The breach of JPMorgan’s network, which took more than two months for the bank to discover, compromised some non-financial information about 83 million households and small-business customers. The bank has said the hackers did not gain access to more sensitive personal information, like Social Security numbers or account balances, and that it had not seen any evidence of fraud involving the information that was taken, mostly names, addresses, phone numbers and email addresses.
Mr. Simms, whose small company has been managing the Corporate Challenge website for about a decade, said he and the bank hoped to soon have the race website fully functional. “It will be the most secure race website,” he said.