The U.S. Treasury Department’s Office of the Comptroller of the Currency (OCC) has notified Congress of “a major information security incident” involving threat actor access to about 150,000 department emails.
While the official announcement of the U.S. Treasury email breach was short on details, Bloomberg reported that a draft letter to Congress said that the unknown hackers had access to about 100 bank regulators’ accounts and 150,000 e-mails from June 2023 until they were “discovered and ousted earlier this year.”
The announcement marks a significant step up from what was termed a “limited” incident in the initial announcement in February.
U.S. Treasury Email Breach Included Sensitive Financial Information
The OCC regulates all national banks and federal savings associations as well as federal branches and agencies of foreign banks, making a breach of the independent financial agency potentially significant.
The official statement said the OCC first became aware of the incident on Feb. 11, 2025, when the agency “learned of unusual interactions between a system administrative account in its office automation environment and OCC user mailboxes.”
After confirming the activity was unauthorized, the agency’s incident response protocols were initialized, which included engaging an independent third-party incident assessment and reporting the incident to the U.S. Cybersecurity and Infrastructure Security Agency (CISA). The compromised administrative accounts were disabled and unauthorized access terminated.
While the review is ongoing, the OCC and the Treasury Department concluded that “based on the content of the emails and attachments reviewed thus far … the incident met the conditions necessary to be classified as a major incident.”
Investigators determined that the access to executives’ and employees’ emails “included highly sensitive information relating to the financial condition of federally regulated financial institutions used in its examinations and supervisory oversight processes.”
Not The First Treasury Department Breach
While the threat actor in the OCC breach remains unknown, the breach’s initial disclosure closely followed a Treasury Department breach reported by the New York Times in December 2024 that was attributed to China-linked hackers.
China-linked threat actors are also believed to have been behind attacks on nine U.S. telecom networks, persistent infiltration of U.S. critical infrastructure – possibly in preparation for an attack on Taiwan – as well as July 2023 email breaches of senior U.S. government officials responsible for handling relations with the People’s Republic of China (PRC).
“[W]hat we have found is likely just the tip of the iceberg,” outgoing CISA Director Jen Easterly wrote in January. “This unrelenting PRC campaign underscores the urgent need for robust cyber defense and vigilance across public and private sectors.”
