Cyber Incident Victim: Office of the Comptroller of the Currency
Date:
Feb 2025
Location:
United States of America
Summary
The Office of the Comptroller of the Currency experienced unauthorized access to its email system through a compromised administrative account, leading to the exposure of sensitive information related to federally regulated financial institutions' examinations and supervisory processes. Following detection of unusual activity, incident response protocols were activated, including third-party assessments, coordination with cybersecurity agencies, and termination of the unauthorized access. Internal and independent reviews identified systemic organizational deficiencies, prompting immediate IT security policy evaluations and forensic investigations to address vulnerabilities and prevent future incidents.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 0 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On February 11, 2025, the Office of the Comptroller of the Currency (OCC) detected unusual interactions between a system administrative account and user mailboxes within its office automation environment. The following day, February 12, the agency confirmed the activity constituted unauthorized access and immediately activated incident response protocols. These measures included initiating an independent third-party incident assessment and notifying the Cybersecurity and Infrastructure Security Agency (CISA). The OCC disabled the compromised administrative accounts on February 12 and verified that unauthorized access had been terminated. Public disclosure occurred on February 26, 2025. Subsequent analysis revealed the breach involved emails and attachments containing highly sensitive information about federally regulated financial institutions' financial conditions, specifically data used in OCC examinations and supervisory oversight processes. The agency classified the incident as "major" under Federal Information Security Modernization Act requirements following consultation with the Department of the Treasury.
Upon confirming the breach, the OCC deployed internal data science experts and independent third parties to analyze compromised communications, a process that remained ongoing at the time of congressional notification. Forensic reviews determined that unauthorized actors accessed emails belonging to multiple executives and employees. Acting Comptroller Rodney E. Hood acknowledged organizational and structural deficiencies contributing to the incident, pledging full accountability for identified vulnerabilities and missed internal findings. The OCC engaged third-party cybersecurity specialists to evaluate investigation and forensic efforts while launching an immediate assessment of IT security policies and procedures to enhance threat prevention, detection, and remediation capabilities. Coordination with the Department of the Treasury occurred throughout the investigation to share findings. The agency also planned to commission an additional independent third-party review of internal cyber incident response processes.