The Office of the Comptroller of the Currency (OCC), which describes itself as “an independent bureau of the U.S. Department of the Treasury,” suffered a long-term, major cyberattack that came to light in February 2025 but was reported more fully only this month. Hackers invaded over a hundred OCC email accounts and had access to some 150,000 emails.
And now banks like J.P. Morgan and Bank of New York Mellon have stopped sharing sensitive not-for-hackers information with the OCC because of the attack (“Banks restrict data transfers to OCC amid cybersecurity concerns,” The Payers, April 16, 2025).
Investigations indicate that the intrusion persisted for more than a year, exposing confidential regulatory correspondence and documentation. This included cybersecurity assessments, operational vulnerabilities, and classified materials such as National Security Letters, which often involve sensitive investigations into terrorism or espionage.
Though detected in February with assistance from Microsoft, the full extent of the breach only became clear after public reporting in April. Several banks, according to individuals familiar with the matter cited by Bloomberg, were not fully informed about the impact until then. The delay in communication has prompted criticism of the OCC’s incident response and disclosure protocols….
Bank officials have expressed concern that the stolen correspondence could include data exposing weaknesses in their cybersecurity frameworks, potentially making them targets for future attacks.
Officials from the OCC have informed financial firms of which staff email accounts were compromised, but they have not yet disclosed whether the exposed data includes sensitive details about bank systems or investigations.
The possibility that “the stolen correspondence could include data exposing weaknesses in [banks’] cybersecurity frameworks” should be of great general interest because banks are one of the places we keep our money.
The OCC has not yet identified a culprit. Many reports don’t seem to be curious about who might be behind the attack.
SBS CyberSecurity said: “According to Bloomberg, the hackers accessed the email accounts of approximately 100 senior officials and viewed more than 150,000 messages dating back to June 2023. Many of these emails contained sensitive information about the financial condition of federally regulated institutions, prompting the OCC to classify the incident as a major breach. In response, the OCC has implemented a range of remediation measures and initiated a long-term review of its internal cybersecurity practices…. Lesson: Overprivileged accounts without sufficient segmentation or monitoring present a high-value target for attackers.” Nothing about who might be responsible for the cyberattack.
PYMNTS said: “The Office of the Comptroller of the Currency (OCC) said Tuesday (April 8) that it notified Congress of a ‘major security incident’ in which there was unauthorized access to OCC emails and email attachments.” Again, nothing about who might be the bad guy.
Could it be China?
Bloomberg, however, said: “While US government agencies and officials have long been the targets of state-sponsored espionage campaigns, multiple high-profile breaches have surfaced over the past year. In December, for instance, the Treasury revealed that Chinese state-sponsored hackers had breached their network through a third-party provider, giving them access to some unclassified documents and former Secretary Janet Yellen’s computer. It wasn’t immediately clear if the OCC breach was related, people familiar with the situation said.”
And The Register, an online site about information technology, said, in a subtitle, “OCC mum on who broke into email, but Treasury fingered China in similar hack months ago.”
You might have something there, The Register.
Also see:
The Register: “Chinese cyber-spies reportedly targeted sanctions intel in US Treasury raid”
