Treasury bureau notifies Congress that email hack was a ‘major’ cybersecurity incident
The Office of the Comptroller of the Currency has notified Congress that a February breach of its email system is classified as a major cybersecurity incident.
The incident was first disclosed Feb. 26, though the OCC provided virtually no details at the time, only saying that it had resolved a security incident “involving an administrative account in the OCC email system” and that a “limited number of affected email accounts” were disabled following a broader investigation.
“There is no indication of any impact to the financial sector at this time,” the OCC said in a statement.
On Tuesday, the office provided an update, saying internal and independent investigations of email accounts and attachments indicate that OCC first became aware of the incident Feb. 11, when the office was notified of an administrative account that was interacting with agency mailboxes in an unusual fashion. The next day, IT staff confirmed the account’s access was unauthorized and disabled the accounts.
“I have taken immediate steps to determine the full extent of the breach and to remedy the long-held organizational and structural deficiencies that contributed to this incident,” Acting Comptroller of the Currency Rodney E. Hood said in a statement. “There will be full accountability for the vulnerabilities identified and any missed internal findings that led to the unauthorized access.”
According to the OCC, the incident has resulted in the theft of “highly sensitive information relating to the financial condition of federally regulated financial institutions used in its examinations and supervisory oversight processes.” According to Bloomberg, which obtained a draft copy of the letter sent to Congress, the compromise was extensive, exposing over 150,000 emails from 103 bank regulators that date back to May 2023.
The federal government has yet to attribute the hack to a specific group or country, with OCC saying only that it is collaborating with the Cybersecurity and Infrastructure Security Agency and the Department of the Treasury during its investigations. The work of the OCC and the information available about the stolen emails suggest that espionage or financial motivations might be involved.
“Regulators’ communications are often intertwined with sensitive macroeconomic and risk-posturing details. It could give attackers essentially a blueprint of sector-level risk in the U.S,” said Gabrielle Hempel, a security operations strategist and threat intelligence researcher for Exabeam. “Nation-state actors could use this information to destabilize markets, manipulate currency policy, or further target regulated institutions.”
The OCC breach happened two months after the Department of the Treasury suffered another hack, first disclosed in December, that resulted in the compromise of multiple workstations and data, including the computer of then-Treasury Secretary Janet Yellen.
The U.S. government attributed that hack to Chinese actors, and last month the Department of Justice indicted 12 Chinese nationals tied to the Ministry of State Security and i-Soon, a known hacking-for-hire contractor, for carrying out the compromise.
