The US Office of the Comptroller of the Currency (OCC), a key banking regulator, officially classified a significant breach of its email system as a "major information security incident" after learning that malicious actors accessed highly sensitive bank supervisory data for eight to nine months before being detected.
On February 11, 2025, the OCC became aware of "unusual interactions" between a system administrative account and user mailboxes in its office automation environment. By February 12, the agency had determined that the activity was unauthorised, engaged its incident response mechanisms, reported the problem to CISA (Cybersecurity Infrastructure and Security Agency), and blocked the compromised administrative accounts, effectively terminating the unauthorised access.
However, subsequent investigations, including internal evaluations and those conducted by independent third parties, revealed that the infiltration was much larger than previously thought. According to Bloomberg News, citing sources familiar with the investigation, the unauthorised access began in May or June 2024 and was discovered in February 2025. During this prolonged period, the attackers gained access to around 150,000 emails from 100 to 103 accounts, including those of senior OCC executives and workers.
On April 8, 2025, the OCC formally informed the United States Congress that the breach satisfied the threshold for a "major incident" under the Federal Information Security Modernisation Act (FISMA). This classification is based on the fact that the stolen emails and attachments contained "highly sensitive information relating to the financial condition of federally regulated financial institutions used in its examinations and supervisory oversight processes.”
Acting Comptroller of the Currency Rodney E. Hood stated unequivocally that "long-held organisational and structural deficiencies" led to the incident and promised "full accountability for the vulnerabilities identified and any missed internal findings." The OCC is conducting a thorough audit of its IT security rules and procedures, and it has engaged third-party cybersecurity experts for review. Additional experts may be brought in to analyse internal cyber incident processes.
The prolonged, undetected access to highly sensitive regulatory information about the health and oversight of US national banks constitutes a severe security flaw within a critical financial regulatory body. Exposure to such data increases the risk of its misuse for market manipulation, espionage, or enabling targeted assaults on financial institutions. While the OCC claimed in February that there was "no indication of any impact to the financial sector," the sensitivity of the exposed data may potentially cause "demonstrable harm to public confidence.”