The Office of the Comptroller of the Currency (OCC) has alerted Congress to a “major information security incident” following unauthorized access to its email systems, including messages containing sensitive financial data. The breach was discovered on 11 February 2025, and confirmed the following day.
According to the OCC, the incident involved unusual activity by a system administrator account accessing user mailboxes without authorization. Once detected, the OCC shut down the compromised accounts and activated its incident response protocols.
The breach was reported to the Cybersecurity and Infrastructure Security Agency and publicly disclosed on 26 February.
The investigation, involving internal teams and third-party cybersecurity experts, is ongoing.
So far, the OCC has found that the unauthorized access included emails containing highly sensitive information about federally regulated financial institutions — the kind of data used during regulatory examinations and oversight.
The initial investigation, according to Bloomberg, revealed that the incident involved unauthorized access to some 150,000 emails from 103 accounts, including sensitive financial data used in regulatory examinations and oversight processes. The unauthorized access started as early as May or June last year and continued until February 2025, making it more prolonged than initially believed.
In consultation with the Department of the Treasury, the OCC has officially classified the event as a major incident under the Federal Information Security Modernization Act (FISMA).
Acting Comptroller of the Currency Rodney Hood said steps are being taken to assess the full impact and address the structural issues that allowed the breach to occur. “There will be full accountability for the vulnerabilities identified,” he said.
The OCC is now reviewing its cybersecurity policies and procedures and plans to bring in additional independent experts to strengthen its defenses and response capabilities. Throughout the process, it has been closely coordinating with the Department of the Treasury.
Identify and Respond Proactively
Avkash Kathiriya, SVP of Threat Intelligence Research at Cyware, said: “Incidents like the Treasury OCC breach don’t only affect the public sector and underscore why Threat Intelligence Management, when done right, empowers security teams to identify and respond to advanced threats proactively—not months after an adversary has already embedded themselves deep within critical systems.
“But beyond internal processes, the real power lies in intelligence sharing and collaboration,” he added. “Government agencies must operate as a unified front, exchanging IOCs, TTPs, and threat context in real time to collectively strengthen our national cyber defense posture. Nation-state actors thrive in silos. By breaking them down and enabling automated, secure sharing of threat intelligence across agencies and partners, we can significantly reduce attacker dwell time and accelerate coordinated defense strategies.
In ending, Kathiriya said protecting national security requires a connected, real-time threat intelligence ecosystem—one that enables companies to detect, respond, and mitigate the impact of threats before they become systemic.