US banking regulator reports on ‘major’ cyber incident involving senior officials’ emails

Hackers gained access to “highly sensitive information” after breaching the email system used by the U.S. Office of the Comptroller of the Currency (OCC).

The OCC notified Congress on Tuesday of a “major information security incident” that was first announced in February. The OCC, an independent bureau housed within the Treasury Department, regulates all national banks, federal savings associations and foreign bank branches in the U.S.

“The OCC discovered that the unauthorized access to a number of its executives’ and employees’ emails included highly sensitive information relating to the financial condition of federally regulated financial institutions used in its examinations and supervisory oversight processes,” officials said.

Bloomberg, which first reported the notification, said the unidentified hackers had access to the email accounts of about 100 senior officials and more than 150,000 emails dating back to June 2023. 

The OCC said it first learned of the issue on February 11 when it saw “unusual interactions between a system administrative account in its office automation environment and OCC user mailboxes.”

The organization hired cybersecurity experts, reported the attack to the Cybersecurity and Infrastructure Security Agency (CISA) and eventually isolated the impacted systems on February 12. The compromised administrative accounts were disabled and the unauthorized access was terminated. The OCC released a public statement on the issue on February 26. 

Since then, the OCC and other investigators have examined the emails and attachments that were accessed by the hackers. The effort is ongoing, but the OCC and Treasury Department have “determined the incident met the conditions necessary to be classified as a major incident.”

Acting Comptroller of the Currency Rodney Hood claimed he has “taken immediate steps to determine the full extent of the breach and to remedy the long-held organizational and structural deficiencies that contributed to this incident.”

“There will be full accountability for the vulnerabilities identified and any missed internal findings that led to the unauthorized access,” Hood said, adding that the OCC will evaluate its IT policies and procedures as well. 

In February, the OCC said there was no indication that the incident impacted the financial sector. The Treasury Department did not respond to requests for comment about whether this assessment is still accurate. 

But in a letter to Congress this week seen by Bloomberg, an OCC official said the information in the emails that were accessed is “likely to result in demonstrable harm to public confidence.”

In December, the Treasury Department warned Congress of another cyberattack perpetrated by Chinese hackers that enabled access to the Office of Foreign Assets Control (OFAC) as well as the Office of the Treasury Secretary — including computers used by former Secretary Janet Yellen, Deputy Secretary Adewale Adeyemo and acting Undersecretary Brad Smith.

At least 50 files on Yellen’s computer were accessed as well as data on sanctions but the hackers were not able to break into the department’s email system or classified documents. In total, investigators believe 400 laptop and desktop machines were breached, allowing access to employee usernames and passwords as well as more than 3,000 files on unclassified personal devices, according to a Treasury report.

U.S. officials slapped sanctions on a Chinese hacker and cybersecurity company in January for their involvement in the hack, alleging that they are affiliated with the PRC’s Ministry of State Security. The Justice Department also charged 12 Chinese nationals, several of whom are accused of being involved in the Treasury hack. 

The Treasury Department did not respond to requests for comment about whether the December incident is connected to the February email breach.