The Office of the Comptroller of the Currency is “now determining what data has been accessed” in a security breach of its email system reported last week, Acting Comptroller Rodney Hood wrote Monday in a draft letter to bank CEOs.
The agency has made improvements to its IT security, Hood said, adding that the OCC is taking stock of “the extent to which highly sensitive information relating to the financial condition of federally regulated financial institutions was compromised.”
Meanwhile, several large banks are limiting the information they share with the agency.
JPMorgan Chase has put a hold on sharing information electronically with the OCC, a source familiar with the matter told Banking Dive. The bank is ensuring that it’s communicating with its regulators safely, according to the source.
BNY has also paused sharing information over security concerns, sources told Bloomberg; as has Bank of America, sources told The Wall Street Journal.
Not all banks are limiting their info sharing. Citi, for one, hasn’t moved to do so, as it wasn’t in its practice to share classified information via email, according to a source familiar with the matter.
Citi declined to comment to Banking Dive, as did BNY. Bank of America did not return a request for comment.
The OCC will inform each regulated institution if the hackers accessed information specific to their company, Hood wrote. The agency will also provide all institutions with email addresses that were included in the compromised information so they can determine what information was shared with the OCC during the time frame the breach occurred.
The OCC is partnering with Microsoft Global Hunting Oversight and Strategic Triage, as well as cybersecurity firms Mandiant and CrowdStrike, to perform a full investigation relating to the incident. The agency has globally reset all credentials associated with its Microsoft tenant to eliminate further threat by the same hacker, Hood wrote.
During an internal review, the OCC found that hackers accessed sensitive information, Hood wrote. The OCC then determined the breach qualified as a “major incident” under the Federal Information Security Modernization Act, meaning its either likely to “result in demonstrable harm to the national security interests, foreign relations, or the economy of the United States, or to the public confidence, civil liberties, or public health and safety of the American people.”
The OCC learned Feb. 12 that an unauthorized user accessed a number of agency email accounts and activated incident response protocols, it said. The agency notified the public Feb. 26.
Hackers gained access to more than 100 email accounts and roughly 150,000 emails from May 2023 until February, including the mailboxes of senior deputy comptrollers and international banking supervisors, Bloomberg reported April 8, citing a draft letter to Congress.
