Pierluigi Paganini
April 09, 2025
The US Treasury’s Office of the Comptroller of the Currency (OCC) disclosed an undetected major email breach for over a year. The cybersecurity incident involved unauthorized access to emails via a compromised admin account.
The breach was confirmed on Feb. 12, 2025, triggering incident response and reporting to CISA. Affected accounts were disabled.
The OCC reviewed email logs since 2022, disabled impacted accounts, and reported the breach to CISA. No impact on the financial sector was found.
After confirming the breach, the OCC began analyzing compromised emails with internal and external experts. Some contained sensitive financial data, leading the OCC and Treasury to classify the incident as a major one. The review process is still ongoing.
“The confidentiality and integrity of the OCC’s information security systems are paramount to fulfilling its mission,” said Acting Comptroller of the Currency Rodney E. Hood. “I have taken immediate steps to determine the full extent of the breach and to remedy the long-held organizational and structural deficiencies that contributed to this incident. There will be full accountability for the vulnerabilities identified and any missed internal findings that led to the unauthorized access.”
Threat actors accessed 103 OCC employee emails for over a year via a compromised admin account, exposing sensitive financial data.
“Hackers intercepted about 103 bank regulators’ emails for more than a year, gaining access to highly sensitive financial information, according to two people familiar with the matter and a draft letter to Congress seen by Bloomberg News.” reported Bloomberg. “The attackers were able to monitor employee emails at the Office of the Comptroller of the Currency after breaking into an administrator’s account, said the people, asking not to be identified because the information isn’t public. OCC on Feb. 12 confirmed that there had been unauthorized activity on its systems after a Microsoft Corp. security team the day before had notified OCC about unusual network behavior, according to the draft letter.”
Hackers accessed approximately 150,000 OCC emails from May 2023, including senior officials’ mailboxes, before being detected and removed in early 2025.
“Earlier this year, the OCC discovered unauthorized access to a limited number of its executives’ and employees’ emails that contain highly sensitive information relating to the financial condition of federally regulated financial institutions used in its examinations and supervisory oversight processes,” OCC Chief Information Officer Kristen Baldwin said in the draft letter.
The threat actors behind the security breach remain unknown, and it’s unclear if the incident is linked to past Treasury attacks by China-linked groups.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Office of the Comptroller of the Currency)
