U.S. Treasury's Comptroller reports email breach exposed sensitive financial institution data

The Office of the Comptroller of the Currency (OCC), a key U.S. financial regulator, has confirmed that its email systems were compromised in a cybersecurity breach that exposed highly sensitive information about federally regulated financial institutions. 

The OCC regulates and supervises all national banks, federal savings associations, and federal branches and agencies of foreign banks operating in the United States.

The incident was first detected on February 11, 2025. According to the OCC's statement, unauthorized actors gained access to emails belonging to agency executives and other employees through an administrative account in the OCC's email system. The compromised emails contained highly sensitive information related to the financial condition of banks and other financial institutions under its supervision.

No details are disclosed about the types of exposed data and number of affected individuals. Bloomberg reports the hackers had access to the email accounts of about 100 senior officials and more than 150,000 emails dating back to June 2023.

The OCC has implemented incident response protocols, analyzed compromised emails to determine their contents, engaged third-party cybersecurity experts to review investigation and forensic efforts and notified Congress.

Update - it seems JPMorgan Chase and Bank of New York Mellon have significantly reduced electronic information sharing with the Office of the Comptroller of the Currency (OCC) in response to the security breach. The decision by JPMorgan Chase and BNY Mellon to limit information sharing reportedly stems from concerns that continued electronic exchanges could introduce security risks to their own computer networks following the OCC breach.

As of 14th of April 2025, the OCC reports that the breach involved a third-party actor who gained unauthorized access to multiple OCC user accounts through an administrative-level account that was compromised. The OCC has disabled the unauthorized administrative account. Officials are currently working to determine the full scope of data that may have been compromised in the incident. Each regulated institution will be directly notified if the OCC discovers that information specific to that institution was accessed during the breach.