OCC Admin Account Breach

The Breach

On February 11, 2025, the Office of the Comptroller of the Currency (OCC) detected unusual activity by an administrator account in the automation environment, accessing their OCC user mailboxes. The next day, the OCC confirmed that this activity was unauthorized and initiated its incident response procedures.

As background context, the OCC is an independent federal agency within the Department of the Treasury that charters, regulates, and supervises American national banks, federal branches of foreign banks, and federal savings associations. On the following day of February 12, 2025, the OCC engaged their incident response plan, and the incident response teams started getting to work.

The Response

The teams first identified the unauthorized administrative account, and third-party entities were brought in to assess the incident, including Microsoft GHOST, Mandiant, and CrowdStrike. The account was contained, disabled, and access terminated as Mandiant and CrowdStrike reviewed all activity within the OCC’s Microsoft Cloud tenant to verify there was no additional activity by this account, and no lateral movement within the IT systems. Mandiant has confirmed their findings, stating the breached account existed only within the cloud environment and there was no evidence of other compromised accounts. The OCC also reported the incident to the Cybersecurity and Infrastructure Security Agency, as was required by law.

The OCC’s internal data scientists analyzed all compromised messages of the account and those that interacted with the account. As the incident progressed, discussions with the Department of the Treasury led to the decision to escalate this incident to major severity. It was discovered that the unauthorized account had access to executive and employee emails with highly sensitive information. Some of this information was related to the financial status of federally regulated financial institutions being used for examinations. Email logs were traced back to 2022 and identified several other impacted email accounts, which were also disabled.

Despite these findings, the OCC reported no financial impact from the breach. They responded further by resetting all user credentials to eliminate any possibility of other compromised accounts or unauthorized access by this threat actor. During the OCC’s post-incident response, reviews and investigations to evaluate the current IT security policies and procedures would continue by engaging additional third parties to perform assessments and hardening efforts for their Microsoft 365 environment for the next several months.

Moving Forward

On February 26, 2025, the OCC released a statement to the public informing them of the security incident involving the user email system. On April 8, 2025, Congress was notified of the breach by an unauthorized administrator account accessing the user email system. The acting Comptroller of the Currency, Rodney E. Hood, released the following statement:

“The confidentiality and integrity of the OCC’s information security systems are paramount to fulfilling its mission. I have taken immediate steps to determine the full extent of the breach and to remedy the long-held organizational and structural deficiencies that contributed to this incident. There will be full accountability for the vulnerabilities identified and any missed internal findings that led to the unauthorized access.”

As of April 15, 2025, the OCC has started and will continue reaching out to financial institutions to inform them if their data was exposed during the incident. Third-party service provider Mandiant is conducting further reviews of the BankNet and the Large File Transfer systems, which are used to share any supervisory information, as part of their comprehensive review. They have also continued penetration testing on the BankNet system. CrowdStrike will continue conducting similar assessments, and the findings will be shared with the OCC once completed.

External Chief Information Security Officers (CISOs) were selected to help improve and implement the industry’s best practices for security systems wherever they were found not to be utilized. In response to the breach, major U.S. banks JPMorgan Chase and Bank of New York Mellon have announced that they will pause all electronic data sharing with the OCC. Meanwhile, Bank of America plans to use more secure channels for communication, as reported by Fast Company.