Unspecified hackers accessed more than 150,000 emails handled by at least 100 bank regulators at the Office of the Comptroller of the Currency (OCC), messages dating back to June 2023 that contain sensitive details about many banks the agency oversees.
Bloomberg first reported April 8 that the independent bureau of the U.S. Treasury Department was breached and based its story on two people familiar with the matter.
The OCC also notified Congress of the incident the same day as the Bloomberg report, calling it a “major incident.”
In its public statement, the OCC said it discovered that the unauthorized access to a number of its executives’ and employees’ emails included highly sensitive information relating to the “financial condition of federally regulated financial institutions used in its examinations and supervisory oversight processes.”
The OCC originally disclosed the breach on Feb. 26, when it told the Cybersecurity and Infrastructure Security Agency (CISA) that there is no indication of any impact to the financial sector “at this time.”
Security experts expressed concern over the news, pointing to how recent cuts at CISA and other federal agencies will weaken cybersecurity in the federal government and across the public sector and U.S. election systems.
“The OCC breach is part of a trend of sophisticated email attacks targeting government agencies,” said J. Stephen Kowski, Field CISO at SlashNext Email Security. “This incident, combined with recent CISA funding cuts to critical cybersecurity programs … creates a perfect storm where agencies must now defend against nation-state threats with fewer resources.”
Scott Weinberg, chief executive officer at Neovera, said a bad actor could easily take advantage of this information and launch a broad series of attacks to not only disrupt services but to perpetrate fraud with the knowledge of a bank’s weaknesses or lack of cybersecurity controls and processes.
“Think about it: If a hacker knows who the weakest targets are, and in addition they know that target’s weakest areas, they will have a much easier time of wreaking havoc,” said Weinberg. “They can essentially cherry pick the banks they want to go after. Even those banks with strong defenses and processes in place are vulnerable to attacks, because the sensitive data obtained may contain the names of systems the banks use, and it may also contain the processes the banks follow to mitigate risk and fraud."
Jason Soroko, senior fellow at Sectigo, pointed out that OCC’s disclosure does not specify if the compromised email system was powered by a vendor like Microsoft, nor does it detail the particular vulnerability exploited, leaving critical technical and attribution questions unanswered.
“No direct link has been established between any previous incident and this breach,” said Soroko “Historically, such incidents have often involved vulnerabilities in widely deployed systems, but in this case, further investigation is required to tie the attack to a specific vendor or vulnerability.”
