The news about this summer’s cyberattack on JPMorgan Chase continues to get worse: A number of other financial institutions were also hit by the same group, according to the New York Times.

“About nine other financial institutions a number that has not been previously reported were also infiltrated by the same group of overseas hackers,” according to the story, posted online Friday night. “The hackers are thought to be operating from Russia and appear to have at least loose connections with officials of the Russian government.”

The story cited unnamed sources briefed on the matter.

A wave of high-profile cyberattacks this year on U.S. companies including hardware supplies retailer Home Depot and the Jimmy Johns sandwich shops, as well as last year’s hack on household goods chain Target, are serving to raise public awareness of weaknesses in the security systems of major businesses. The attacks on the big U.S. businesses range in severity, but underscore the need for consumers to understand how to protect sensitive information online.

The New York Times’ Friday report was posted a day after details of the JPMorgan hack came to light via a filing the bank made to the U.S. Securities and Exchange Commission. In total, 76 million households and 7 million small businesses were affected by the attack, the bank said in an 8-K filing Thursday to the SEC.

The attack compromised information and data used in connection with providing or offering services, the bank said. However, sensitive information including account numbers, passwords and credit, debit and Social Security numbers are not thought to have been compromised, the back stated. The bank said it does not believe customers “need to go through the inconvenience of having their cards reissued.”

Even when an attack does not involve credit card or social security numbers, however, information such as names of people who use a certain service can be used by criminals to pry more sensitive information from unsuspecting consumers via phishing attacks. In the wake of the cyberattacks, consumers need to be especially careful of any communication, even from apparently trusted sources, that requests information such as passwords, experts say.

JPMorgan’s regulatory filing was short on details about how the attack occurred. When media reports about the hack surfaced in late August, JPMorgan Chase declined to confirm the attacks. It said large companies constantly experience cyberattacks. This is precisely the problem, argue advocacy groups: weak security coupled with lack of disclosure of breaches are a serious disservice to consumers. Consumer advocates and some politicians are calling for more stringent breach disclosure laws.

Meanwhile, U.S. agencies including the Federal Bureau of Investigation and the Secret Service are working with JPMorgan to better determine the scope and source of the attacks. JPMorgan and the Secret Service did not immediately return requests for comment Saturday.