Hackers Spied on 100 US Bank Regulators' Emails for Over a Year
(Tuesday April 08, 2025 @10:31PM (msmash)
from the growing-issue dept.)
- Reference: 0176978555
- News link: https://news.slashdot.org/story/25/04/09/0034251/hackers-spied-on-100-us-bank-regulators-emails-for-over-a-year
- Source link:
Hackers [1]intercepted about 103 bank regulators' emails for more than a year, gaining access to highly sensitive financial information, Bloomberg News reported Tuesday, citing two people familiar with the matter and a draft letter to Congress. From the report:
> The attackers were able to monitor employee emails at the Office of the Comptroller of the Currency after breaking into an administrator's account, said the people, asking not to be identified because the information isn't public. OCC on Feb. 12 confirmed that there had been unauthorized activity on its systems after a Microsoft security team the day before had notified OCC about unusual network behavior, according to the draft letter.
>
> The OCC is an independent bureau of the Treasury Department that regulates and supervises all national banks, federal savings associations and the federal branches and agencies of foreign banks -- together holding trillions of dollars in assets. OCC on Tuesday notified Congress about the compromise, describing it as a "major information security incident."
>
> "The analysis concluded that the highly sensitive bank information contained in the emails and attachments is likely to result in demonstrable harm to public confidence," OCC Chief Information Officer Kristen Baldwin wrote in the draft letter to Congress that was seen by Bloomberg News. While US government agencies and officials have long been the targets of state-sponsored espionage campaigns, multiple high-profile breaches have surfaced over the past year.
[1] https://www.straitstimes.com/world/united-states/hackers-spied-on-100-us-bank-regulators-e-mails-for-over-a-year
> The attackers were able to monitor employee emails at the Office of the Comptroller of the Currency after breaking into an administrator's account, said the people, asking not to be identified because the information isn't public. OCC on Feb. 12 confirmed that there had been unauthorized activity on its systems after a Microsoft security team the day before had notified OCC about unusual network behavior, according to the draft letter.
>
> The OCC is an independent bureau of the Treasury Department that regulates and supervises all national banks, federal savings associations and the federal branches and agencies of foreign banks -- together holding trillions of dollars in assets. OCC on Tuesday notified Congress about the compromise, describing it as a "major information security incident."
>
> "The analysis concluded that the highly sensitive bank information contained in the emails and attachments is likely to result in demonstrable harm to public confidence," OCC Chief Information Officer Kristen Baldwin wrote in the draft letter to Congress that was seen by Bloomberg News. While US government agencies and officials have long been the targets of state-sponsored espionage campaigns, multiple high-profile breaches have surfaced over the past year.
[1] https://www.straitstimes.com/world/united-states/hackers-spied-on-100-us-bank-regulators-e-mails-for-over-a-year
Admins should never have access to email content (Score:2)
by misnohmer ( 1636461 )
Administrators should not have access to emails of other users. They should be able to reset passwords if needed, but a) this would be noticed by the end user and b) for any account which has sensitive information in the email, all past emails should be encrypted and lost whenever a password is reset.
Re: (Score:2)
by Hoi Polloi ( 522990 )
In some businesses SEC rules require that email be retained for at least 6 years with 2 year having them readily available.
oh oh I know this one (Score:2)
"social engineering".. ie. some joe actually gives his password away because someone asks for it?
or the more obvious, Just don't use Microsoft?
Re: (Score:2)
This is why passwords should expire every 60 days. For EVERYONE.
But a question: is this legit? Why is the ONLY coverage a singapore (chinese-owned) paper???