In his letter, Dow Jones Chief Executive William Lewis said that law enforcement officials informed the company about the potential breach in late July.
After bringing in outside help, an investigation turned up a confirmation that the systems housing the customer data was accessed – but there is no proof that data was exfiltrated. The investigators also determined that the attackers had access to the system between August 2012 and July 2015.
"As part of the investigation to date, we also determined that payment card and contact information for fewer than 3,500 individuals could have been accessed, although we have discovered no direct evidence that information was stolen. We are sending those individuals a letter in the mail with more information about the support we are offering. If you do not receive such a letter, we have no indication that your financial information was involved," the letter states.
The incident appears to be part of a larger campaign involving "a number of other victim companies" the letter goes on to add. Investigators feel that the focus of the attack was the contact information of current and former Dow Jones subscribers, such as names, addresses, email addresses, and phone numbers.
Last Friday, Scottrade Inc. alerted the public to a data breach that affected 4.6 million people. As was the case with Dow Jones, Scottrade wasn't aware of any problems prior to law enforcement notification.
According to an email sent by Scottrade, law enforcement discovered the breach while investigating other data-theft cases.
The brokerage firm says that the incident took place between late 2013 and early 2014, warning that both current and former customers were affected. Once again, the attackers were targeting contact information.
If the assumption of a larger campaign holds true, then the Dow Jones & Co. breach is likely related to the Scottrade breach that was disclosed last week. If so, then the attackers behind both incidents have been at this for a long time, and there are going to be additional related breach disclosures in the coming weeks.