WASHINGTON—The Office of the Comptroller of the Currency reported a major security breach in its email system and informed Congress of the incident on Tuesday.
The OCC said the finding is the result of internal and independent third-party reviews of OCC emails and email attachments that were subject to unauthorized access.
“On Feb. 11, 2025, the OCC learned of unusual interactions between a system administrative account in its office automation environment and OCC user mailboxes. On Feb. 12, the OCC confirmed the activity was unauthorized and immediately activated its incident response protocols which include initiating an independent third-party incident assessment and reporting the incident to the Cybersecurity and Infrastructure Security Agency,” the OCC explained.
On Feb. 12, the OCC disabled the compromised administrative accounts and confirmed that the unauthorized access had been terminated. The OCC provided public notice of the incident on Feb. 26, the agency said.
After confirming the unauthorized activity, the OCC said it immediately began analyzing the compromised email messages to determine their contents.
“These efforts included using internal data science experts and independent third-parties and are ongoing. While that review is ongoing, based on the content of the emails and attachments reviewed thus far, the OCC, in consultation with the Department of the Treasury, determined the incident met the conditions necessary to be classified as a major incident,” the OCC.
The OCC said it discovered that the unauthorized access to a number of its executives’ and employees’ emails included highly sensitive information relating to the financial condition of federally regulated financial institutions used in its examinations and supervisory oversight processes.
“The confidentiality and integrity of the OCC’s information security systems are paramount to fulfilling its mission,” said Acting Comptroller of the Currency Rodney E. Hood. “I have taken immediate steps to determine the full extent of the breach and to remedy the long-held organizational and structural deficiencies that contributed to this incident. There will be full accountability for the vulnerabilities identified and any missed internal findings that led to the unauthorized access.”
The OCC added that it has utilized third-party cybersecurity experts to perform a full review of the investigation and forensics efforts. The OCC is also launching an evaluation of its current IT security policies and procedures to improve its ability to prevent, detect and remediate potential security incidents going forward.
In addition, the OCC is working to engage an additional independent third-party to assess and analyze internal processes related to cyber incidents, the agency said.