Over a month after the Office of the Comptroller of the Currency discovered it was hacked by illicit actors the agency said it is still working to understand what specific sensitive bank data was compromised and whether any of it has been publicly or criminally disseminated, according to a letter the agency sent Tuesday to banks it supervises.
“The OCC and one of its contractors are currently working to review the content of all compromised email communications and attachments, including determining whether any of the compromised information has been found on the dark web,” Acting Comptroller Rodney Hood said in the letter. “Information that was accessed includes financial supervision information provided by OCC-supervised institutions and non-public OCC information. Efforts to determine if any bank customer information was compromised are ongoing.”
Last week, the OCC — which oversees nationally chartered firms, some of the largest in the world — notified Congress of a
Following the OCC’s disclosure of the breach, banks have reportedly been concerned that continued data exchange could expose their own networks to risk.
JPMorgan Chase and BNY Mellon reportedly paused electronic information sharing with the OCC after discovering that hackers broke into an OCC administrator’s account. The breach allowed hackers to monitor emails from over a hundred officials for over a year
According to Tuesday’s letter, the breach was first flagged by Microsoft’s Microsoft Global Hunting Oversight and Strategic Triage team in February, after the vendor detected unusual access patterns between a service account in Microsoft’s Azure office automation environment and OCC user mailboxes, which the Microsoft team tracked back to a virtual private network service. Virtual private networks, also known as VPNs, are a tool that allows users to browse anonymously by routing their internet activity through an encrypted server, making it harder to trace their location or identity.
OCC said in its Tuesday correspondence it confirmed the activity was unauthorized the next day and began its response: disabling the account, initiating third-party forensic reviews by Mandiant and CrowdStrike and reporting the incident to the Cybersecurity and Infrastructure Security Agency. Weeks later, the OCC determined the incident qualified as a major breach and informed Congress of the hack the next day.
Despite securing the compromised account and resetting all credentials tied to its Microsoft environment, the OCC acknowledged that sensitive bank data — including non-public supervisory information from regulated financial institutions — had been accessed. The OCC partnered with leading cybersecurity firms, which OCC says helped to rule out the possibility of further intrusions or lateral movement within its data systems.
The OCC says going forward it will share technical details of the breach through the Treasury’s Treasury’s Office of Cybersecurity and Critical Infrastructure, the Project Fortress Threat Feed and the industry consortium the Financial Services Information Sharing and Analysis Center. The agency is also bringing in outside counsel to review its IT security policies and procedures and says it will act on all resulting recommendations.
The letter also noted the OCC will hold regular briefings with supervised institutions to share updates on the breach and ongoing remediation. The agency says it also will notify any institution whose data was specifically accessed.
“We recognize regulated institutions may have questions about their provision of requested supervisory information for OCC examinations,” Hood wrote. “OCC examiners are available to work with individual institutions to answer their questions and ensure the secure exchange of required supervisory information.”