When it comes to security, you can take it to the bank—just don’t talk about it too much via email.
That’s a lesson that federal regulators from the Office of the Comptroller of the Currency (OCC) learned the hard way. A little over 100 bank regulators had their email accounts hacked and accessed for a year, the OCC told Congress on Apr. 8.
The attack, which OCC Chief Information Officer Kristen Baldwin wrote in a letter viewed by Bloomberg involved “unauthorized access to a limited number of its executives’ and employees’ emails that contain highly sensitive information relating to the financial condition of federally regulated financial institutions used in its examinations and supervisory oversight processes,” lasted a year, during which hackers had access to over 150,000 emails.
Once you’re in. Erich Kron, security awareness advocate at KnowBe4, told IT Brew that while it wasn’t clear how threat actors got into the system, once they infiltrated the accounts they were potentially able to go through a number of records.
“I don’t know exactly what they did in this case to take over those accounts, but I will say, it’s quite scary that they were there for the length of time,” Kron said.
One way that attackers could take advantage of that access is to “piggyback” on old messages and potentially look over years of correspondence, Kron said. Often, email accounts can have correspondence and information going back for years—and “the amount of information that they could glean from that and the low amount of effort it would take” is concerning.
Top insights for IT pros
From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.
Mr. Fixit. As with most organizations, the federal government can be lax when it comes to investment in cybersecurity. That’s part of the reason it took so long to find the breach, Kron guessed, combined with the fact that “in the top tiers of the government, a lot of these folks are older folks who are not digital natives.”
“They may not understand the threats the same way that other places do, especially when you compare it to banking and finance, who are getting attacked all the time, they have a lot at stake there,” Kron said.
In a statement accompanying the OCC’s news release explaining the breach, Acting Comptroller of the Currency Rodney E. Hood said he was working to figure out the extent of the damage and to “remedy the long-held organizational and structural deficiencies that contributed to this incident.”
“There will be full accountability for the vulnerabilities identified and any missed internal findings that led to the unauthorized access,” Hood said.