The US Treasury’s Office of the Comptroller of the Currency (OCC) on Tuesday disclosed to Congress that hackers had access to the email accounts of top federal banking regulators and 150,000 staff emails for over a year.
According to two sources and a draft letter to Congress reportedly seen by Bloomberg News, the attackers were able to hijack “about 103 bank regulators’ emails for more than a year,” after breaking into an OCC administrator's account.
It was further reported that the unidentified attackers had “access to more than 150,000 emails since June 2023" until this February, when the threat actor was finally booted from the system.
Compromised OCC executives included senior deputy comptrollers, international banking supervisors, and other staff, one of the sources said.
In the letter, OCC Chief Information Officer Kristen Baldwin told Congress that the information contained in the emails and attachments is likely to result in demonstrable harm to public confidence.”
“For over a year, hackers had unrestricted access to 100+ US bank regulators’ emails, reading over 150,000 messages from inside the Office of the Comptroller of the Currency (OCC) – they got in through a single administrator account,” said X user @sekurprivate, a Swiss-based private email provider.
“This wasn’t a phishing email gone wrong. It was a high-level infiltration targeting sensitive regulatory communications,” they said.
🚨 For over a year, hackers had unrestricted access to 100+ US bank regulators’ emails, reading over 150,000 messages from inside the Office of the Comptroller of the Currency (OCC)—They got in through a single administrator account.
undefined Sekur Private (OTCQB:SWISF) (@sekurprivate) April 8, 2025
This wasn’t a phishing email gone wrong. It… pic.twitter.com/TADnc4vBy2
Hackers only discovered in February
Labeling the cyberattack as a “major incident,” the OCC said it became aware of the unauthorized access on February 11th, after observing “unusual interactions between an administrative account and OCC user mailboxes.”
Within 24 hours, the OCC said it “disabled the compromised accounts” with the help of third-party experts, thereby terminating the attacker's access.
Still, after examining the system’s log files dating back to 2022, the OCC determined that “a limited number” of email accounts had been affected, disclosing the findings in a public notice on February 26th.
Barely six weeks later, the OCC tells Congress, the threat actors were able to get their hands on at least 100 OCC executives’ and employees’ emails, many of which included “highly sensitive information.”
Vowing to hold the OCC “fully accountable” for the breach, Acting Comptroller of the Currency Rodney Hood, said the bureau will launch an extensive internal investigation to “identify the vulnerabilities and any missed findings leading to the unauthorized access.”
"Highly sensitive" bank information
An independent bureau of the US Department of the Treasury, the OCC “charters, regulates, and supervises all national banks, federal savings associations, and federal branches and agencies of foreign banks,” the agency states.
As part of the still ongoing probe, OCC data science experts and independent third parties have been analyzing the hacked email messages to find out precisely what data was accessed during the almost two-year-long breach.
The highly sensitive emails, so far, have been found to contain information relating to the “financial condition of federally regulated financial institutions used in its examinations and supervisory oversight processes,” the OCC said on Thursday.
“The confidentiality and integrity of the OCC’s information security systems are paramount to fulfilling its mission,” Hood said Thursday.
“I have taken immediate steps to determine the full extent of the breach and to remedy the long-held organizational and structural deficiencies that contributed to this incident,” he said.
Tuesday’s breach disclosure to Congress is required as per the Federal Information Security Modernization Act. The US Cybersecurity and Infrastructure Security Agency (CISA) was notified at the time of discovery.
China-backed hackers hit Treasury last year
It’s not the first time cybercriminals have gone after the US Treasury Department.
In December 2024, members of the Chinese-backed threat group Salt Typhoon were able to gain access to the laptops of some senior US government officials after hacking the US Treasury through its third-party cybersecurity vendor Beyond Trust. About 100 government computers were found to have been involved in the attack.
Since then, Salt Typhoon has been found responsible for carrying out a years-long cyber campaign targeting US critical infrastructure, including more recent attacks on US telecommunications and internet service providers, even targeting US President Donald Trump right before the November elections.
More than a dozen Chinese nationals were indicted by the US Department of Justice last month in connection with the telecom attacks, as well as individual and corporate sanctions imposed on the perpetrators by the Treasury’s Office of Foreign Assets Control (OFAC).
In response to the China-linked hack, US Senate Banking Committee GOP lawmakers pointed out that the “Treasury maintains some of the most highly sensitive information on US persons throughout government, including tax information, business beneficial ownership, and suspicious activity reports.”
Your email address will not be published. Required fields are markedmarked