The Office of the Comptroller of the Currency (OCC), part of the US Treasury Department, recently disclosed a breach of its Microsoft 365 tenant, with 103 email accounts caught up in the compromise. After carrying out an investigation, the OCC notified the US Congress, stating the breach met the criteria for a “major information security incident.”
In recent years, organizations facing such incidents usually sheepishly say in effect, “mea culpa; now we’ll implement multi-factor authentication to prevent this type of incident in the future.” While a lack of multi-factor authentication is part of this story, it’s much more nuanced than a blanket oversight.
Key details:
- In May 2023, hackers compromised a service account in its Microsoft 365 tenant that had administrative-level privileges.
- Multi-factor authentication was not enabled on the breached service account.
- Microsoft discovered the breach in early February 2025 (some 20 months later) and alerted the OCC. The discovery was based on observing unexpected behavior.
- The OCC made an initial disclosure on February 26, 2025. At that point, the extent of the incident was noted as “an administrative account in the OCC email system” and that “a limited number of affected email accounts that have since been disabled.”
- The OCC engaged Mandiant and CrowdStrike to investigate.
- Over the course of the 20 months of access, the hackers appear to have leveraged their initial foothold to gain access to other Microsoft 365 mailboxes, including those of senior deputy comptrollers, international banking supervisors, and other staff. This provided access to around 150,000 emails – although “access to” is different to “they actively read.” Quantifying the latter remains under investigation.
- On April 8, 2025, the OCC notified Congress of the incident. In its public notice of doing so, the OCC said: “The OCC discovered that the unauthorized access to a number of its executives’ and employees’ emails included highly sensitive information relating to the financial condition of federally regulated financial institutions used in its examinations and supervisory oversight processes.”
As a result of its investigation, the OCC asserts that “there is no evidence of impact on the financial sector,” (per SecurityWeek), although in its letter to Congress, the OCC said it is likely to “result in demonstrable harm to public confidence” (per Bloomberg).
What appears particularly galling about this breach is that the OCC has for years talked the talk and walked the walk on multi-factor authentication and embracing strong authentication. As a matter of policy, it has required the use of multi-factor authentication for two decades – since 2005. It has championed for wider adoption of multi-factor authentication in the financial sector. For example, in an August 2022 speech to the joint meeting of the Financial and Banking Information Infrastructure Committee and the Financial Services Sector Coordinating Council, the then Acting Comptroller of the Currency (Michael Hsu) said:
The first line of defense against malicious cyber actors is the implementation of strong preventative controls to protect against unauthorized access. Last August [2021], through the FFIEC, we updated our authentication guidance to highlight how the base layer security approach of multifactor authentication, or controls of equivalent strength, can significantly strengthen controls to mitigate unauthorized access to systems and data. All financial institutions should implement effective multifactor authentication controls for access to all nonpublic systems, as even basic network systems can be entry points for malicious activity.
With a policy framework of using MFA and public statements to spread that policy more broadly, why would a critical Microsoft 365 account not have MFA enabled? In its coverage of the incident, Bloomberg spoke with an ex-special counsel for enforcement at OCC. His response – “it is shocking that they did not have it [MFA] enabled for this administrative account.”
The OCC is not a client of Osterman Research. We do not have access to inside information. We can only see what is being reported in key media outlets. Our hypothesis, on the evidence we’ve seen, is that this was a shocking blindsided incident to the OCC that was completely unexpected. The initial administrative’s account was overlooked or not seen by the IT and security teams when MFA controls were put in place, and the OCC did not have the optics, visibility, or reporting to highlight where their policy was not being followed – initially, or subsequently. Newer identity security solutions, especially in the identity security posture management area, could have prevented this incident at the OCC. Such solutions add an independent assessment and enforcement engine for authentication policies, highlighting, for example, where accounts – service and user – don’t have MFA enabled.
Last month we published CISO and CIO Investment Priorities for Cybersecurity in 2025, which includes a deep dive on investment priorities for identities. See pages 24-27 for more. Non-human identities (which includes service accounts) gets a specific call out on page 27:
Protecting against identity attacks that seek to compromise non-human identities is the only issue across all four areas where the security priority in 2025 is higher among those not managing risks well compared to those who are. This is an unaddressed issue for too many organizations, and the warning bells are sounding.
Don’t be the next OCC.