Skip to main content
close search
site logo

Treasury Department bank regulator discloses major hack

Attackers gained unauthorized, prolonged access to the Office of the Comptroller of the Currency’s email system, accessing numerous emails containing highly sensitive data.

Published April 9, 2025
By Elizabeth Montalbano, Contributing Reporter
Statue of Alexander Hamilton.
Statue of the first United States Secretary of the Treasury Alexander Hamilton stands in front of the U.S. Treasury in Washington, DC. Chip Somodevilla via Getty Images

Attackers gained access to emails containing sensitive government data related to financial institutions in a cyberattack on the Department of the Treasury's Office of the Comptroller of the Currency (OCC), in what the agency characterized as a "major incident."

The breach compromised executive and employee emails, including attachments that contained "highly sensitive information relating to the financial condition of federally regulated financial institutions used in its examinations and supervisory oversight processes," according to a press statement by the OCC. The OCC charters, regulates and supervises all national banks, federal savings associations and federal branches and agencies of foreign banks.

The OCC did not publicly disclose which vendor's system specifically was breached or which method of initial access the attackers used. However, a published report said that attackers had access to more than 103 email accounts and some 150,000 emails for more than a year and that Microsoft reported the unusual network behavior to the OCC, suggesting it was the vendor providing the email system.

The OCC first became aware of the cybersecurity incident on Feb. 11, when it "learned of unusual interactions between a system administrative account in its office automation environment and OCC user mailboxes." Officials confirmed a day later that the activity was unauthorized and disabled the compromised administrative accounts, after which the unauthorized access was terminated.

Microsoft could not immediately be reached for comment. The OCC provided the first public notice of the breach on Feb. 26.

Organizational and structural deficiencies to blame

The office has launched an internal and independent third-party review of the incident to determine the full extent of the breach, which Acting Comptroller of the Currency Rodney E. Hood in a press statement attributed to "long-held organizational and structural deficiencies."

"There will be full accountability for the vulnerabilities identified and any missed internal findings that led to the unauthorized access," he said.

Indeed, the incident is the second known data breach at the Treasury Department in several months' time; in December, the department also alerted lawmakers that Chinese state-backed threat actors compromised its systems and steal data from workstations. That breach was linked to the exploitation of a bug in BeyondTrust, a vendor that offers software-as-a-service (SaaS)-based cybersecurity.

The office of Sen. Tim Scott (R-S.C.), chairman of the Committee on Banking, Housing and Urban Affairs who aided in the investigation of the December breach related to BeyondTrust, did not immediately return a call seeking comment Wednesday.

Treasury may need to rethink security policies

While there is no evidence released so far that the breaches are linked, there is certainly potential for connection given the timing and nature of the incident, noted Gabrielle Hempel, security operations strategist and threat intelligence researcher for the Exabeam TEN18 Team, in an email sent to Cybersecurity Dive. This alone should spur the Treasury Department to revamp its security policies, she said; the agency said it is considering this move.

"Even absent attribution, the timing and the target profile … suggest at the very least, a similarity in actor intent and at most potential campaign coordination," she said.

In light of the breach, the OCC said it has indeed launched an evaluation of its current IT security policies and procedures and will enlist an independent third party to assess and analyze internal processes related to cybersecurity incidents.

Given that the incident demonstrated a failure in traditional perimeter defenses that allowed hackers access to so many email accounts for a prolonged period of time, the office may want to take a "zero-trust" approach to cybersecurity going forward, especially given that it regularly handles such highly sensitive data, Hempel said.

"Sensitive financial regulatory information should have access limited, and sensitive communications should be encrypted and housed in hardened systems — not just left in email," she said.

Filed Under: Breaches

Editors' picks

Company Announcements

View all | Post a press release
As Attacks Grow on Critical Infrastructure, New RunSafe Tool Scores Hidden Threats in Embedded…
From RunSafe Security
April 07, 2025
Monro Data Breach Investigation
From Migliaccio & Rathod LLP
March 26, 2025
Lafayette Federal Credit Union Data Breach Investigation
From Migliaccio & Rathod LLP
March 24, 2025
98% of Brands Targeted by Cyber Attacks in 2024 – BrandShield CyberScam Report Reveals Rising …
From BrandShield
April 02, 2025
Editors' picks
Latest in Breaches
Industry Dive is an Informa TechTarget business.
© 2025 TechTarget, Inc. or its subsidiaries. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell
This website is owned and operated by Informa TechTarget, part of a global network that informs, influences and connects the world's technology buyers and sellers. All copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. TechTarget, Inc.'s registered office is 275 Grove St. Newton, MA 02466.