The Office of the Comptroller of the Currency (OCC) disclosed a data breach potentially exposing sensitive information about financial institutions in a report to Congress. The federal banking regulator said the breach stemmed from unauthorized access via “compromised email messages.”
The OCC provided the following statement regarding the cybersecurity incident to the American Bankers Association and other financial services trade organizations:
“On April 8, the OCC notified Congress of a major information security incident, involving unauthorized access to an administrative service account in its office automation environment and OCC user mailboxes. The OCC disabled the compromised administrative accounts to eliminate the possibility of further unauthorized access and activated its incident response protocols that include an independent third-party assessment.
“The OCC is currently analyzing the compromised email messages to determine their contents and to identify potentially sensitive information that may have been accessed. This includes utilization of third-party cybersecurity experts to perform a full review of the investigation and forensics efforts as well as a thorough evaluation of the OCC’s current IT security policies and controls.
“The OCC is committed to transparency on what occurred and is currently in the process of notifying impacted parties to inform them of the security incident. All OCC-supervised institutions will receive an invitation to a call by April 10 to provide an overview of the security event, current forensic analysis efforts underway and next steps for communication to financial institutions potentially impacted by the compromise.
“As the OCC continues to review and analyze the compromised emails, OCC-supervised institutions can expect to receive updated communications from their OCC supervisory office or point of contact. If compromised sensitive information is identified, individual institutions will be notified of the impacted data. The OCC also will confirm when the forensic analysis has been concluded and all impacted institutions notified.
“Please feel free to reach out to your local OCC supervisory office or examiner in charge with any questions.”