The United States Treasury Department’s Office of the Comptroller of the Currency (OCC) acknowledged to lawmakers on Tuesday that it had experienced “a major information security incident.” As required by the Federal Information Security Modernization Act, Congress was notified that the office had found hackers had gained access to emails containing sensitive information relating to the financial condition of federally regulated financial institutions.
“On February 11, 2025, the OCC learned of unusual interactions between a system administrative account in its office automation environment and OCC user mailboxes. On February 12, the OCC confirmed the activity was unauthorized and immediately activated its incident response protocols which include initiating an independent third-party incident assessment and reporting the incident to the Cybersecurity and Infrastructure Security Agency,” OCC confirmed in a statement.
The OCC disabled the compromised administrative accounts while confirming that the unauthorized access had been “terminated.” The office further posted a public notice on February 26.
Email Under Review
OCC said that it has been analyzing the compromised emails “to determine their contents,” and that has included both internal data science experts and “independent” third-parties. The efforts are ongoing, but it further acknowledged that the hackers had gained “unauthorized access” to the emails of executives and employees, but didn’t clarify how many emails were compromised.
However, it did state that the emails contained “highly sensitive information relating to the financial condition of federally regulated financial institutions used in its examinations and supervisory oversight processes.”
How Did It Happen?
While OCC also didn’t describe any specific issues that led to the emails being compromised, and no group was identified, the hack was blamed on long-standing weaknesses within the department’s systems.
“The confidentiality and integrity of the OCC’s information security systems are paramount to fulfilling its mission,” said Acting Comptroller of the Currency Rodney E. Hood. “I have taken immediate steps to determine the full extent of the breach and to remedy the long-held organizational and structural deficiencies that contributed to this incident. There will be full accountability for the vulnerabilities identified and any missed internal findings that led to the unauthorized access.”
It isn’t clear from that statement whether it was a brute force attack, or was the result of something else, including an orchestrated phishing campaign. But it does appear that the hacker(s) were able to get into the system and from there the damage was done.
“It’s always a dangerous situation when bad actors get into legitimate email accounts as these accounts carry with them a level of trust that is not present in spoofed emails,” Erich Kron, security awareness advocate at cybersecurity company KnowBe4, told ClearanceJobs via an email.
“In many cases, bad actors will piggyback on previous conversations with others in an attempt to get the target to open infected documents or take actions that benefit the attackers,” Kron warned. “This is much easier for them to do if they are using a previous email correspondence with the victim because people are naturally less skeptical when receiving a message from someone they have previously communicated with.”
The Blame Game, But It’s Not Wrong
Though the OCC essentially blamed organizational and structural deficiencies, which is akin to passing the buck, the issue of legacy systems is one that has plagued the federal government in recent years.
“This breach is a critical example of how legacy vulnerabilities in sensitive government systems continue to pose national security and financial stability risks,” explained Ensar Seker, chief information security officer at cybersecurity provider SOCRadar.
“The reported breach at the U.S. Treasury Department’s Office of the Comptroller of the Currency (OCC) is deeply alarming, not only because it involves unauthorized access to executive emails, but because those emails reportedly contained highly sensitive data tied to the financial health of federally regulated institutions,” Seker told ClearanceJobs. “This isn’t just a privacy incident. It has the potential to impact market confidence, regulatory operations, and even geopolitical stability.”
It should be concerning that the attribution of the breach to longstanding was to known vulnerabilities. If they’re known, they shouldn’t be there!
“In 2025, that’s unacceptable. Government agencies tasked with safeguarding our financial infrastructure must operate with zero tolerance for technical debt. These systems aren’t just supporting administrative functions, they’re part of the digital backbone of U.S. financial governance,” Seker continued.
Not a Random Attack on an Agency
The other noteworthy aspect of this attack is that the adversaries behind it almost certainly understood what they were targeting.
“Financial regulatory bodies are a goldmine for nation-state actors and financially motivated threat groups alike,” Seker warned. “The ability to access preliminary regulatory findings, enforcement discussions, or early warnings about institutional instability would give attackers enormous leverage, either to disrupt markets, manipulate decisions, or profit via insider-style knowledge.”
Seker suggested the incident underscores the need for aggressive modernization of email infrastructure in the public sector, especially for high-value targets like financial regulators.
“Email remains one of the most vulnerable and exploited attack vectors, and legacy systems, even if segmented, are often riddled with authentication gaps, lack of MFA, and poor visibility into abnormal access behaviors,” he further told ClearanceJobs, and recommended that going forward there needs to be comprehensive efforts made to ensure it can’t happen again.
That includes eliminating known vulnerabilities proactively, not reactively; encrypting and compartmentalizing sensitive communications across regulatory agencies; deployment of behavioral anomaly detection to flag unusual access, especially by privileged users; and critically, treating cybersecurity not as a compliance checkbox, but as a foundational pillar of national financial resilience.
“If anything, this breach is a reminder that cybersecurity is not just about preventing data theft, it’s about protecting public trust in the systems that govern our economy,” Seker added.
The human element also can’t be overlooked.
“It’s important that as part of a human risk management plan, employees are taught to always be careful when handling file attachments or unexpected requests, even if they come from a source they have previously communicated with,” said Kron. “If in doubt, the request can be confirmed through an alternative form of communication such as a phone call or text message.”
