Hackers compromised a bureau within the U.S. Department of the Treasury and spent months in hacked systems

The OCC serves to charter, regulate, and supervise all national banks and federal thrift institutions and the federally licensed branches and agencies of foreign banks in the United States.

According to the OCC, an administrative email account with access to user mailboxes and internal systems was compromised; as a result, unauthorized persons gained access to nonpublic data.

The breach was discovered on February 11, 2025; at that time, Microsoft notified the OCC of unusual activity in its mailboxes. However, the scope of the compromise was identified only recently.

The incident report states that unknown cybercriminals gained access to “highly sensitive information relating to the financial condition of federally regulated financial institutions used in its examinations and supervisory oversight processes.”

The compromised administrative account was disabled on February 12, when the breach was confirmed; third-party cybersecurity experts were retained to assess the incident impact.

“Based on the content of the emails and attachments reviewed thus far, the OCC, in consultation with the Department of the Treasury, determined the incident met the conditions necessary to be classified as a major incident. The OCC discovered that the unauthorized access to a number of its executives’ and employees’ emails included highly sensitive information relating to the financial condition of federally regulated financial institutions used in its examinations and supervisory oversight process,” – the OCC.

According to Bloomberg News, a draft letter to Congress prepared by OCC Chief Information Officer Kristen Baldwin states that the highly sensitive bank information contained in the emails and attachments is likely to result in demonstrable harm to public confidence. In the period from May 2023 to early 2025, the attackers had accessed roughly 150,000 emails.

OCC representatives haven’t commented on this information yet, nor did they specify who might be responsible for the breach.

Back in December 2024, unknown attackers had hacked the U.S. Department of the Treasury and compromised the SaaS platform used by it. At that time, it was reported that the intrusion affected the Office of Foreign Assets Control (OFAC), and the hackers deliberately attacked this department that administers and enforces economic and trade sanctions.

The U.S. authorities held some ‘Chinese government hackers’ liable for that attack.