A cyber incident involving the Office of the Comptroller of the Currency’s email systems led to unauthorized access to highly sensitive information about the financial condition of financial institutions the agency supervises, according to a notice to Congress by the OCC. The notice is required by the Federal Information Security Modernization Act.
The OCC publicly disclosed the data breach in February but released details today about the incident. According to an agency statement, the OCC learned of unusual interactions between a system administrative account in its office automation environment and OCC user mailboxes in mid-February. The OCC implemented incident response protocols and began analyzing the compromised emails to determine their contents. Some contained sensitive information on financial institutions.
The OCC has brought in third-party cybersecurity experts to perform a full review of the investigation and forensics efforts, according to the agency. It is also launching an evaluation of its current IT security policies and procedures, and plans to engage an additional independent third-party to assess and analyze internal processes related to cyber incidents.
“The confidentiality and integrity of the OCC’s information security systems are paramount to fulfilling its mission,” said Acting Comptroller of the Currency Rodney Hood. “I have taken immediate steps to determine the full extent of the breach and to remedy the long-held organizational and structural deficiencies that contributed to this incident. There will be full accountability for the vulnerabilities identified and any missed internal findings that led to the unauthorized access.”
