J.P. Morgan Chase and BNY have reportedly suspended the electronic sharing of information to the OCC following a cyberattack on the regulator’s email.
The OCC breach, classified by the agency and the US Treasury as a ‘major incident,’ involved unauthorised access to over 100 email accounts. Investigations indicate that the intrusion persisted for more than a year, exposing confidential regulatory correspondence and documentation. This included cybersecurity assessments, operational vulnerabilities, and classified materials such as National Security Letters, which often involve sensitive investigations into terrorism or espionage.
Though detected in February with assistance from Microsoft, the full extent of the breach only became clear after public reporting in April. Several banks, according to individuals familiar with the matter cited by Bloomberg, were not fully informed about the impact until then. The delay in communication has prompted criticism of the OCC’s incident response and disclosure protocols.
The OCC has since enlisted external cybersecurity firms, including Mandiant and CrowdStrike, to evaluate the breach and review its IT systems, such as BankNet and its large file transfer service. While the OCC confirmed it is continuing supervisory functions through its examiners, it has yet to notify all affected institutions of what specific data may have been compromised. One of the OCC’s contractors is also examining whether any stolen information has appeared on the dark web.
Financial institutions have responded to the breach in varied ways. While Bank of America is reported to be rerouting information through what it considers more secure channels, Citigroup has not altered its data-sharing practices, reportedly due to existing oversight conditions. The positions of other major banks, including Wells Fargo and Goldman Sachs, remain unclear.
Bank officials have expressed concern that the stolen correspondence could include data exposing weaknesses in their cybersecurity frameworks, potentially making them targets for future attacks.
Officials from the OCC have informed financial firms of which staff email accounts were compromised, but they have not yet disclosed whether the exposed data includes sensitive details about bank systems or investigations.
Every day we send out a free e-mail with the most important headlines of the last 24 hours.
Subscribe now