Skip to main content
close search
site logo

OCC discloses major hack

Attackers gained unauthorized, prolonged access to the banking regulator’s email system and may have seen numerous messages containing highly sensitive data.

Published April 9, 2025
By Elizabeth Montalbano
OCC
Retrieved from OCC.

First published on

Cybersecurity Dive

Attackers gained access to emails containing sensitive government data related to financial institutions in a cyberattack on the Office of the Comptroller of the Currency, in what the banking regulator characterized as a "major incident."

The breach compromised executive and employee emails, including attachments that contained "highly sensitive information relating to the financial condition of federally regulated financial institutions used in its examinations and supervisory oversight processes," according to a press statement Tuesday. 

The OCC did not publicly disclose which vendor's system specifically was breached or which method of initial access the attackers used. However, a published report indicated attackers had access to more than 103 email accounts and some 150,000 emails for more than a year and that Microsoft reported the unusual network behavior to the OCC, suggesting it was the vendor providing the email system.

The OCC first became aware of the cybersecurity incident Feb. 11, when it "learned of unusual interactions between a system administrative account in its office automation environment and OCC user mailboxes." Officials confirmed a day later that the activity was unauthorized and disabled the compromised administrative accounts, after which the unauthorized access was terminated.

An OCC media representative did not immediately return a phone call requesting more details Wednesday. Microsoft also could not immediately be reached for comment. The OCC provided the first public notice of the breach Feb. 26.

Organizational, structural deficiencies

The OCC has launched an internal and independent third-party review of the incident to determine the full extent of the breach, which Acting Comptroller of the Currency Rodney Hood attributed to "long-held organizational and structural deficiencies."

"There will be full accountability for the vulnerabilities identified and any missed internal findings that led to the unauthorized access," he said in a press statement.

Indeed, the incident is the second known data breach at the Treasury Department in several months' time; in December, the department also alerted lawmakers that Chinese state-backed threat actors compromised its systems and steal data from workstations. That breach was linked to the exploitation of a bug in BeyondTrust, a vendor that offers software-as-a-service-based cybersecurity.

The office of Sen. Tim Scott R-SC, the Senate Banking Committee chair who aided in the investigation of the December breach related to BeyondTrust, did not immediately return a call seeking comment Wednesday.

Rethinking security policies

While there is no evidence released so far that the breaches are linked, there is certainly potential for connection given the timing and nature of the incident, Gabrielle Hempel, security operations strategist and threat intelligence researcher for the Exabeam TEN18 Team, said in an email. This alone should spur the Treasury Department to revamp its security policies, she said; the agency said it is considering this move.

"Even absent attribution, the timing and the target profile … suggest at the very least, a similarity in actor intent and at most potential campaign coordination," she said.

In light of the breach, the OCC said it has launched an evaluation of its IT security policies and procedures and will enlist an independent third party to assess and analyze internal processes related to cybersecurity incidents.

Given that the incident demonstrated a failure in traditional perimeter defenses that allowed hackers access to so many email accounts for a prolonged period of time, the office may want to take a "zero-trust" approach to cybersecurity going forward, especially given that it regularly handles such highly sensitive data, Hempel said.

"Sensitive financial regulatory information should have access limited, and sensitive communications should be encrypted and housed in hardened systems — not just left in email," she said.

Editors' picks

Company Announcements

View all | Post a press release
Vitech To Host Webinar: "The Next Era of Pensions: Key Trends Shaping 2025"
From Vitech
March 31, 2025
76% of Americans worried about AI phishing scams: YouGov report
From YouGov America
March 31, 2025
Castatus Breaks Language Barriers: Crisis Manager Now Supports Message Translation In 130+ Lan…
From Castatus, Inc.
March 31, 2025
Editors' picks
Latest in Regulations & Policy
Industry Dive is an Informa TechTarget business.
© 2025 TechTarget, Inc. or its subsidiaries. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell
This website is owned and operated by Informa TechTarget, part of a global network that informs, influences and connects the world's technology buyers and sellers. All copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. TechTarget, Inc.'s registered office is 275 Grove St. Newton, MA 02466.