On April 8, the Office of the Comptroller of the Currency (OCC) officially notified Congress of a significant information security incident involving its email system. This notification, mandated by the Federal Information Security Modernization Act, follows the discovery of unauthorized access to OCC emails and attachments that included highly sensitive information related to the financial condition of federally regulated financial institutions.
Incident Overview
The breach was identified through both internal and independent third-party reviews. On February 11, 2025, the OCC detected unusual interactions between a system administrative account and user mailboxes. By February 12, the OCC confirmed the activity was unauthorized and promptly activated its incident response protocols.
These protocols included:
- Initiating an independent third-party incident assessment.
- Reporting the incident to the Cybersecurity and Infrastructure Security Agency (CISA).
- Disabling the compromised administrative accounts.
- Confirming the termination of unauthorized access.
The OCC publicly disclosed the incident on February 26, reporting that it had identified, isolated, and resolved the security incident involving an administrative account in its email system. At that time, the OCC reported the incident to CISA and indicated that there was no evidence of any impact on the financial sector.
Ongoing Analysis and Findings
Following the confirmation of unauthorized activity, the OCC began a thorough analysis of the compromised email messages. This analysis, conducted by internal data science experts and independent third parties, is still ongoing. However, preliminary findings indicate that the unauthorized access included highly sensitive information related to the financial condition of federally regulated financial institutions, which is used in the OCC’s examinations and supervisory oversight processes.
In consultation with the Department of the Treasury, the OCC has classified this incident as a major security breach. Acting Comptroller of the Currency Rodney E. Hood emphasized the critical importance of the confidentiality and integrity of the OCC’s information security systems, stating: “I have taken immediate steps to determine the full extent of the breach and to remedy the long-held organizational and structural deficiencies that contributed to this incident. There will be full accountability for the vulnerabilities identified and any missed internal findings that led to the unauthorized access.”
Steps Taken and Future Actions
The OCC has engaged third-party cybersecurity experts to conduct a comprehensive review of the investigation and forensics efforts. Additionally, the OCC is undertaking an immediate and thorough evaluation of its current IT security policies and procedures to enhance its ability to prevent, detect, and remediate potential security incidents in the future. An additional independent third-party will be engaged to assess and analyze internal processes related to cyber incidents.
Throughout this process, the OCC has coordinated with the Department of the Treasury to share information about its findings.
No information has been provided on if and when the OCC plans to notify affected financial institutions.
