Rules Navigator

OCC reports ‘major’ cyber incident involving senior officials’ emails

Hand is clicking on a laptop.
Photo: Adam Berry/Getty Images

Julie DiMauro

 Click to share on Facebook (Opens in new window/tab) Click to share on Twitter (Opens in new window/tab) Click to share on LinkedIn (Opens in new window/tab) Click to share on WhatsApp (Opens in new window/tab)

Hackers intercepted bank regulators’ emails for more than a year, accessing highly sensitive financial information, the OCC said.

A major security incident in which hackers accessed the email system of the Office of the Comptroller of the Currency (OCC) has been notified to Congress.

The prolonged access to the agency’s email system led to the hacker gaining access to numerous emails and email attachments containing highly sensitive data, with the banking regulator calling it a “major incident.”

The breach compromised executive and employee emails, including attachments that contained “highly sensitive information relating to the financial condition of federally regulated financial institutions used in its examinations and supervisory oversight processes,” according to the OCC, which notified Congress as required by the Federal Information Security Modernization Act.

The OCC did not publicly disclose which vendor’s system specifically was breached or which method of initial access the attackers used.

With that said, a draft letter to Congress seen by Bloomberg News said that attackers had access to more than 103 email accounts and some 150,000 emails for more than a year and that Microsoft reported the unusual network behavior to the OCC. It has not been confirmed whether Microsoft was the vendor providing the email system.

Incident response protocols

On February 11, 2025, the OCC learned of unusual interactions between a system administrative account in its office automation environment and OCC user mailboxes.

On February 12, the OCC confirmed the activity was unauthorized and immediately activated its incident response protocols. This included initiating an independent third-party incident assessment and reporting the incident to the Cybersecurity and Infrastructure Security Agency (CISA), which is a part of the US Department of Homeland Security.

That same day, officials confirmed the activity was unauthorized and disabled the compromised administrative accounts, after which the unauthorized access was terminated. The report to CISA stated that there was no indication of any impact on the financial sector “at this time.”

“There will be full accountability for the vulnerabilities identified and any missed internal findings that led to the unauthorized access.”

Rodney Hood, Acting Comptroller of the Currency

After confirming the unauthorized activity, the OCC immediately began analyzing the compromised email messages to determine their contents. These efforts included using internal data science experts and independent third-parties and are ongoing.

While that review is ongoing, based on the content of the emails and attachments reviewed so far, the OCC, in consultation with the Department of the Treasury, determined the incident met the conditions necessary to be classified as a major incident because the emails that were accessed were “likely to result in demonstrable harm to public confidence.”

The OCC has discovered that the unauthorized access to a number of its executives’ and employees’ emails included highly sensitive information relating to the financial condition of federally regulated financial institutions used in its examinations and supervisory oversight processes.

“The confidentiality and integrity of the OCC’s information security systems are paramount to fulfilling its mission,” said Acting Comptroller of the Currency Rodney Hood.

“I have taken immediate steps to determine the full extent of the breach and to remedy the long-held organizational and structural deficiencies that contributed to this incident. There will be full accountability for the vulnerabilities identified and any missed internal findings that led to the unauthorized access,” he added.

The OCC said it has tapped third-party cybersecurity experts to perform a full review of the investigation and forensics efforts. It is also launching an immediate and thorough evaluation of its current IT security policies and procedures to improve its ability to prevent, detect and remediate potential security incidents going forward.

Work to engage an additional independent third-party to assess and analyze internal processes related to cyber incidents is in progress, it said.

Treasury’s cyber woes

Late last year, the Treasury Department warned Congress of another cyberattack perpetrated by Chinese hackers that enabled access to the Office of Foreign Assets Control, as well as the Office of the Treasury Secretary. Computers used by former Secretary Janet Yellen, Deputy Secretary Adewale Adeyemo and acting Undersecretary Brad Smith were among those compromised.

At least 50 files on Yellen’s computer were accessed, as well as data on sanctions, but the hackers were not able to break into the department’s email system or classified documents.

In total, investigators believe 400 laptop and desktop machines were breached, allowing access to employee usernames and passwords as well as more than 3,000 files on unclassified personal devices, according to a Treasury report.

As retaliation for the attack, in January, the US Department of Justice imposed sanctions on a Chinese individual and cybersecurity company for their involvement in the hack, alleging that they are affiliated with China’s Ministry of State Security.

, , , , , , ,

You may also like