OCC Notifies Congress of Incident Involving Email System

WASHINGTON—The Office of the Comptroller of the Currency (OCC) today notified Congress of a major information security incident, as required by the Federal Information Security Modernization Act.

This finding is the result of internal and independent third-party reviews of OCC emails and email attachments that were subject to unauthorized access. On February 11, 2025, the OCC learned of unusual interactions between a system administrative account in its office automation environment and OCC user mailboxes. On February 12, the OCC confirmed the activity was unauthorized and immediately activated its incident response protocols which include initiating an independent third-party incident assessment and reporting the incident to the Cybersecurity and Infrastructure Security Agency. On February 12, the OCC disabled the compromised administrative accounts and confirmed that the unauthorized access had been terminated. The OCC provided public notice of the incident on February 26.

After confirming the unauthorized activity, the OCC immediately began analyzing the compromised email messages to determine their contents. These efforts included using internal data science experts and independent third-parties and are ongoing. While that review is ongoing, based on the content of the emails and attachments reviewed thus far, the OCC, in consultation with the Department of the Treasury, determined the incident met the conditions necessary to be classified as a major incident.

The OCC discovered that the unauthorized access to a number of its executives’ and employees’ emails included highly sensitive information relating to the financial condition of federally regulated financial institutions used in its examinations and supervisory oversight processes.

“The confidentiality and integrity of the OCC’s information security systems are paramount to fulfilling its mission,” said Acting Comptroller of the Currency Rodney E. Hood. “I have taken immediate steps to determine the full extent of the breach and to remedy the long-held organizational and structural deficiencies that contributed to this incident. There will be full accountability for the vulnerabilities identified and any missed internal findings that led to the unauthorized access.”

The OCC has utilized third-party cybersecurity experts to perform a full review of the investigation and forensics efforts. The OCC is also launching an immediate and thorough evaluation of its current IT security policies and procedures to improve its ability to prevent, detect and remediate potential security incidents going forward. In addition, the OCC is working to engage an additional independent third-party to assess and analyze internal processes related to cyber incidents.

Throughout its review, the OCC has coordinated with the Department of the Treasury to share information about its findings.