E-Trade learned of the cyberattack shortly after it occurred in 2013 and launched an internal investigation while it worked with law enforcement, according to a person familiar with the investigation who spoke on the condition of anonymity. But at the time, the company did not believe customer information had been compromised, the person said.
Recently, however, federal law enforcement officials alerted the company to evidence that customer contact information may have been breached, prompting E-Trade to inform customers about the incident "out of an abundance of caution," according to the e-mail.
E-Trade said it is offering those caught up in the breach one year of free identity protection services, which includes credit monitoring.
"Security is a top priority, and we focus significant time and energy to help keep E-Trade customer data and information safe and secure," a company spokesperson said in a statement. "We take these matters extremely seriously, and in all instances we continuously assess and improve upon E-Trade’s capabilities. We have also contacted any customers we believe may have been impacted."
The Wall Street Journal reported in 2014 that the E-Trade breach was part of a wave of cyberattacks targeting financial companies in recent years. Those attacks were committed by the same cybercriminals who hacked their way into JP Morgan in 2014, according to the Wall Street Journal, which cited a person briefed on the matter. In the JP Morgan incident, attackers were able to access customer data for tens of millions of people, including e-mail and physical addresses, but not account information.
The number of people that appear wrapped up in the E-Trade breach is much smaller, but that customers are being notified about potential unauthorized access nearly two years is a reminder that the full scope of a cyberattack may not be known until long after it is over.