Major Email Breach at US Treasury's OCC Undetected for Over a Year

TL;DR

The US Treasury’s Office of the Comptroller of the Currency (OCC) disclosed a significant email breach involving unauthorized access to 103 employee accounts for over a year. The breach, detected in February 2025, compromised sensitive financial data but did not impact the broader financial sector. An ongoing investigation is underway to determine the full extent of the breach and address organizational vulnerabilities.

Major Email Breach at US Treasury’s OCC Undetected for Over a Year

The US Treasury’s Office of the Comptroller of the Currency (OCC) has revealed a substantial email breach that remained undetected for over a year. This cybersecurity incident involved unauthorized access to 103 employee email accounts via a compromised admin account. The breach was officially confirmed on February 12, 2025, prompting an immediate incident response and reporting to the Cybersecurity and Infrastructure Security Agency (CISA).

Detection and Initial Response

The OCC discovered the breach after a Microsoft security team alerted them to unusual network behavior on February 11, 2025. Upon confirmation, the OCC initiated a comprehensive review of email logs dating back to 2022. Affected accounts were swiftly disabled to prevent further unauthorized access. The OCC has assured that no impact on the broader financial sector has been identified.

Scope and Impact of the Breach

Following the breach confirmation, the OCC began analyzing the compromised emails with the assistance of internal and external cybersecurity experts. Some emails contained sensitive financial data, leading the OCC and the Treasury to classify the incident as major. The review process is ongoing to assess the full extent of the data exposure.

Acting Comptroller of the Currency Rodney E. Hood emphasized the importance of information security, stating, “The confidentiality and integrity of the OCC’s information security systems are paramount to fulfilling its mission. I have taken immediate steps to determine the full extent of the breach and to remedy the long-held organizational and structural deficiencies that contributed to this incident. There will be full accountability for the vulnerabilities identified and any missed internal findings that led to the unauthorized access.” ¹

Details of the Cybersecurity Incident

Threat actors gained access to approximately 150,000 OCC emails from May 2023 until early 2025, including those of senior officials. The breach involved monitoring emails for highly sensitive financial information related to federally regulated financial institutions. OCC Chief Information Officer Kristen Baldwin highlighted the severity of the incident, noting that the compromised emails contained critical data used in examination and supervisory oversight processes ².

Ongoing Investigation and Unknowns

The identity of the threat actors behind the breach remains unknown, and it is unclear whether the incident is linked to past cyber-attacks on the Treasury by China-linked groups. The investigation continues to uncover the full scope of the breach and address the organizational vulnerabilities that allowed it to occur.

For further updates and insights, follow the author on Twitter, Facebook, and Mastodon.

Additional Resources

For further insights, check:

• OCC News Release
• Bloomberg News Article

References

For more details, visit the full article: source

1. Rodney E. Hood (February 12, 2025). “Statement on OCC Email Breach”. OCC News Release. Retrieved April 9, 2025. ↩︎

2. Kristen Baldwin (April 8, 2025). “Draft Letter to Congress”. Bloomberg News. Retrieved April 9, 2025. ↩︎