The United States Treasury Department’s Office of the Comptroller of the Currency (OCC) has recently discovered an email system breach, describing it as a “major information security incident.” The OCC supervises, regulates, and charters all national banks in addition to supervising federal agencies of foreign banks. 

This breach was discovered due to internal and external reviews of OCC emails and email attachments exposed to unauthorized access. On February 11, 2025, the agency discovered abnormal interactions between a system administrative account and OCC user mailboxes. The following day, it was confirmed the activity was unauthorized. The organization enacted incident response protocols and reported the event to the Cybersecurity and Infrastructure Security Agency (CISA). 

On February 12, 2025, the OCC disabled the compromised account and verified the unauthorized access had been terminated. Bloomberg reported that 103 email accounts were compromised, allowing the malicious actors to access to sensitive financial information. The malicious actors reportedly had access to approximately 150,000 emails from May 2023 until the discovery and termination of their unauthorized access. 

J Stephen Kowski, Field CTO at SlashNext Email Security+, comments, “The OCC breach is part of a trend of sophisticated email attacks targeting government agencies, with hackers accessing over 150,000 emails containing sensitive information dating back to June 2023. This incident, combined with recent CISA funding cuts to critical cybersecurity programs like MS-ISAC and EI-ISAC, creates a perfect storm where agencies must now defend against nation-state threats with fewer resources. 

To defend against such email threats, Kowski recommends, “Security teams should implement advanced email protection that combines AI-powered threat detection with real-time phishing defense to identify and block sophisticated social engineering attempts before they reach employee inboxes. Organizations need layered security that protects against account takeover, spoofing, and credential theft — especially as attackers increasingly target email systems as their primary entry point for major breaches.”

The OCC has involved third-party cybersecurity experts in the investigation and forensics efforts; furthermore, the organization has enacted an assessment of its current IT security policies. The OCC will coordinate with the U.S. Department of the Treasury to share any findings. 

“The OCC’s disclosure of the breach is unusually transparent by government standards, although such openness is increasingly seen as part of modern public accountability practices," says Jason Soroko, Senior Fellow at Sectigo. “The release does not specify if the compromised email system was powered by a vendor like Microsoft, nor does it detail the particular vulnerability exploited, leaving critical technical and attribution questions unanswered. No direct link has been established between any previous incident and this breach. Historically, such incidents have often involved vulnerabilities in widely deployed systems, but in this case, further investigation is required to tie the attack to a specific vendor or vulnerability.”