WASHINGTON—The OCC said it intends to notify financial institutions if their data was compromised in a recent security breach affecting the agency’s email systems, the OCC stated in a letter.
The agency said it also plans to hold regular meetings with banks and other stakeholders to maintain open communication and provide updates on the investigation and ongoing remediation efforts.
As CUToday.info reported, the Office of the Comptroller of the Currency reported a major security breach in its email system and has informed Congress of the incident. The OCC said the finding is the result of internal and independent third-party reviews of OCC emails and email attachments that were subject to unauthorized access.
In its recent letter, Acting Comptroller of the Currency Rodney Hood explained how the OCC addressed the compromise and how it will work with FIs.
Hood said that In response to the unauthorized activity, the OCC disabled the compromised service account and confirmed the unauthorized access had been terminated. The OCC also globally reset all credentials associated with its full Microsoft tenant to eliminate the possibility of further unauthorized access by the threat actor.
“At this time, the OCC has confirmed the universe of the compromised email mailboxes, dates of compromise, and messages and attachments accessed during the incident,” Hood said. “Efforts to analyze the compromised email messages to determine their contents have been initiated and are ongoing.”
Further Actions
Hood said the OCC is configuring and hardening its Microsoft 365 environment in alignment with secure baseline requirements issued under Binding Operational Directive 25-01, “Implementing Secure Practices for Cloud Services.” The OCC has also enhanced oversight of the contractor-led management of the Microsoft email environment.
The OCC has partnered with Microsoft GHOST, as well as Mandiant and CrowdStrike, well known cybersecurity forensics firms, to perform a full investigation relating to the incident. Mandiant and CrowdStrike have both reviewed all activity within OCC’s Microsoft Cloud tenant and verified there has been no indication of additional activity or lateral movement within OCC IT systems by the threat actor, Hood explained.
On April 10, Mandiant further confirmed the breached account existed solely in the cloud environment, and their analysis found no evidence of compromise affecting other accounts in the tenant, Hood said.
Technical information on the nature of the attack and indicators of compromise will be shared via U.S. Treasury in an OCCIP circular, on the Project Fortress Threat Feed platform and also through FS-ISAC, Hood said.
“Further, the OCC is expeditiously working to engage outside counsel to thoroughly evaluate the OCC’s current IT security policies and procedures to improve its ability to prevent, detect, and remediate potential security incidents going forward. The OCC is committed to acting on recommendations made as a result of the evaluation,” Hood said.
Hood said the OCC is committed to ensuring its supervised institutions are informed of its efforts to address the breach and to fortify its information security systems.
“To this end, the OCC will host regular meetings with regulated banks, savings associations, and service providers to ensure open lines of communication and share current information about findings and the status of efforts underway to resolve the incident,” Hood said.
Hood added the OCC will inform each regulated institution if it determines the unauthorized user accessed information specific to that institution for their awareness.
“The OCC also will provide all supervised institutions with email user domains that were included in the compromised information so they may determine what information or data they may have sent to OCC users during the timeframe of the unauthorized access,” Hood said.