A branch of the US Department of Treasury has declared a major security incident after identifying a serious data breach – which appears to have started with the compromise of a systems administrator’s account.
The Office of the Comptroller of the Currency (OCC) supervises all national banks, federal branches and the agencies of foreign banks.
The attacker gained “unauthorized access to a number of its executives’ and employees’ emails [that] included highly sensitive information relating to the financial condition of… regulated financial institutions,” it said this week, after identifying the security incident on February 11.
(The incident follows a major breach of the Treasury itself in December 2024. That began with exploitation of remote support software from BeyondTrust, which later confirmed that 17 customers were affected.)
The OCC learned of its incident on February 11 and reported it on April 8.
Acting Comptroller of the Currency Rodney E. Hood sounded ready to make heads roll: “I have taken immediate steps to determine the full extent of the breach and to remedy the long-held organizational and structural deficiencies that contributed to this incident,” he warned.
“There will be full accountability for the vulnerabilities identified and any missed internal findings that led to the unauthorized access,” Hood said – sounding like a post-mortem had already revealed concerning issues.
Some of the banks the OCC supervises. Credit: The OCC.ImageImage
The OCC publicly boasts that it “operates a comprehensive information security and cyber protection program to protect the information and information systems that support its operations and assets, including the sensitive supervisory information in the agency’s custody.”
This, it noted in a July 2024 industry cybersecurity report [pdf], includes a “full life cycle incident prevention, detection, disruption, and response processes, including: configuration and operation of intrusion prevention and detection, advanced persistent threat detection, endpoint malware prevention and detection, and data loss prevention technologies…”
“A potential national security concern”
Mike Britton, CISO of Abnormal Security commented: “This isn't just a breach of data privacy – it’s also a potential national security concern.
“This is a major incident, not just because of the duration or the number of accounts compromised, but because of the sensitivity of the data involved. With access to confidential information on federally regulated banks, threat actors could manipulate markets and generally undermine trust in the banking system. They could use sensitive contact lists and internal communications to launch highly sophisticated phishing and business email compromise campaigns against banks or other agencies.”
“Because the emails would be coming from legitimate inboxes, those phishing attempts would look especially convincing,” Britton warned.
Organisations, Britton and industry peers note, need to deploy phishing-resistant MFA as widely as possible to “ensure airtight email account access. From there, continue building up defenses with a strong vulnerability and application security program” Britton said.
