Hackers gained access to the private emails of at least 103 US bank regulators for more than a year, compromising highly sensitive financial information, Bloomberg reported, citing sources familiar with the breach.
According to a draft letter to Congress, the cyberattack, which targeted employees at the Office of the Comptroller of the Currency (OCC), was first detected in February 2025 after an alert from Microsoft’s security team raised red flags about unusual network activity.
The hackers gained access to the OCC's email system after compromising an administrator’s account, allowing them to monitor email communications of high-ranking officials, including senior deputy comptrollers and international banking supervisors. The breach affected roughly 150,000 emails from May 2023 to early 2025, with some containing critical details about the financial health of institutions regulated by the OCC.
The OCC, an independent bureau within the US Department of the Treasury, is responsible for overseeing national banks, federal savings associations, and the US operations of foreign banks. The draft letter to Congress, seen by Bloomberg News, warned that the breach could result in "demonstrable harm to public confidence" due to the nature of the compromised information.
OCC Chief Information Officer Kristen Baldwin confirmed the attack in a letter to Congress, calling it a "major information security incident." "The highly sensitive bank information contained in the emails and attachments is likely to result in demonstrable harm to public confidence," Baldwin wrote.
In December 2024, the Treasury Department disclosed a breach by Chinese state-sponsored hackers, who accessed unclassified documents and former Secretary Janet Yellen’s computer via a third-party vendor. However, it remains unclear whether the OCC incident is related to this or other recent foreign cyber campaigns.
As of now, the identity of the hackers behind the OCC breach has not been determined. In its initial disclosure on February 26, 2025, the OCC confirmed the cyberattack but stated that only a "limited number of affected email accounts" were involved. All compromised accounts have since been disabled. The agency assured the public that there is no evidence to suggest the breach has impacted the broader financial sector.
