WASHINGTON–The security breach that the Office of the Comptroller of the Currency (OCC) described earlier this month as a “major incident” has been found to have “existed solely” in the cloud, according to an update released by the agency.

The OCC now says there is no evidence of the compromise “affecting other accounts in the tenant,” according to a letter to banks the agency has released.

On April 8, the OCC had called the breach “major” but it said the outside cybersecurity firm it retained, the Virginia-based Mandia, has since performed a forensics and incident assessment. The OCC said it also turned to cybersecurity forensics firms Microsoft GHOST and CrowdStrike to investigate what occurred.

The OCC said it has verified that, since Feb. 11 when it discovered the security breach, there has been no indication of additional activity or lateral movement within OCC IT systems by the threat actor Mandiant.

Instead, it confirmed the cloud environment scope of the breach.

Outside Counsel Engaged

“Further, the OCC is expeditiously working to engage outside counsel to thoroughly evaluate the OCC’s current IT security policies and procedures to improve its ability to prevent, detect, and remediate potential security incidents going forward,” the agency said in its letter. “The OCC is committed to acting on recommendations made as a result of the evaluation.”

The agency also said, via Mandiant, it is conducting a “thorough review” of two of its systems serving banks: BankNet and the Large File Transfer (LFT) systems. The agency indicated banks use both to share supervisory information.

“While OCC conducts regular penetration tests and security assessments on BankNet and other OCC communication systems, we have requested this additional comprehensive review to confirm its security,” the OCC said.

The agency added it will share information from Mandiant when the review has been completed. It also said it has requested CrowdStrike conduct a similar assessment and will also share findings.