OCC Releases Letter on Information Security Incident to Supervised Institutions

On April 8, 2025, the Office of the Comptroller of the Currency (OCC), in accordance with the Federal Information Security Modernization Act (FISMA), notified Congress that it identified a major incident resulting from a breach of the OCC's email system. The breach occurred when an unauthorized user accessed a number of OCC user accounts, including emails and attachments, via a service account with administrative-level privileges. The OCC immediately disabled the unauthorized account.

Background: On February 11, 2025, Microsoft Global Hunting Oversight and Strategic Triage (GHOST) notified the OCC that they observed unusual interactions between a service account in Microsoft’s Azure office automation environment and OCC user mailboxes hosted by Microsoft. Authentications to this service account were tracked to a location associated with a commercial Virtual Private Network (VPN) service.

On February 12, the OCC confirmed the activity was unauthorized and immediately activated its incident response protocols. This included initiating an independent third-party forensics and incident assessment of the breach by Mandiant and reporting the incident to the Cybersecurity and Infrastructure Security Agency (CISA) as required per M-25-04. The OCC subsequently secured the services of CrowdStrike to conduct a similar investigation.

During its extensive internal review, the OCC learned that the unauthorized access involved sensitive information. On April 7, the OCC determined the incident qualified as a major incident under FISMA.

On February 12, the OCC confirmed the activity was unauthorized and immediately activated its incident response protocols.

On April 14th, the Office of the Comptroller of the Currency (OCC) sent a letter to its supervised institutions disclosing a major data security incident caused by a breach of the OCC's email system.
The letter is HERE