Hackers accessed emails for over a year, affecting more than 100 accounts
Several of the United States’ largest banks have begun limiting how they share data with the Office of the Comptroller of the Currency (OCC), following reports that a long-running cybersecurity breach gave hackers access to confidential regulator communications.
JPMorgan Chase & Co. and Bank of New York Mellon Corp. have paused electronic information transfers to the OCC.
The decision follows a security incident involving the OCC’s email system, in which unauthorized access went undetected for over a year and affected more than 100 accounts.
Microsoft Corp., which discovered the breach on February 11, later worked with cybersecurity firm CrowdStrike Holdings Inc. to assist the agency.
The US Treasury labeled the incident a “major” cyber event, acknowledging that hackers may have obtained sensitive data related to the financial and cybersecurity posture of regulated institutions.
Some of the data typically exchanged with the OCC includes vulnerability assessments, internal cybersecurity protocols, and even details from National Security Letters—documents tied to terrorism or espionage investigations.
The OCC has enlisted Mandiant, another cybersecurity firm, to support the ongoing review of the breach.
Despite the data-sharing pause by some institutions, the agency stated that its examiners still maintain access to necessary bank information to carry out supervisory functions. A spokesperson added that the OCC is working with independent experts to assess internal cybersecurity protocols and inform affected institutions as findings develop.
While Citigroup Inc.—currently operating under tighter OCC oversight due to an outstanding consent order—has not restricted its data-sharing practices, it declined to comment.
Banks including Bank of America Corp., Wells Fargo & Co., and Goldman Sachs Group Inc. have also declined to confirm whether they have modified their interactions with the OCC.
Bloomberg reported that some banks were unaware of the scope of the intrusion until after its article was published.
The OCC is still reviewing the contents of compromised emails and attachments to determine what information was accessed and whether it needs to notify affected institutions.
So far, the OCC has disclosed which employee accounts were breached but has not confirmed the specific nature of the data stolen.
Congressional scrutiny has followed the revelation. The House Financial Services Committee and the Senate Banking Committee have requested further details from the OCC, according to spokespeople for both bodies.
Marc Bleicher, chief technology officer at Surefire Cyber Inc., said that a breakdown in secure regulator communication creates risk for follow-on attacks or extortion attempts.
Meanwhile, David P. Weber, a former OCC special counsel and current professor at Salisbury University, told Bloomberg that the banks' decision to curb information flow marks a deviation from regulatory norms.
With investigations ongoing and questions unresolved, how should US regulators and financial institutions adapt to ensure secure oversight in an era of increasing cyber threats? Share your view in the comments.
