Cybersecurity news without the noise
ZeroDaily
Published on

OCC Email Breach Exposes Sensitive Bank Data in Multi-Year Cyberattack (May 2023–2025)

ZeroDaily

The Office of the Comptroller of the Currency (OCC) has disclosed a significant cybersecurity breach that exposed over 150,000 emails from 100 OCC officials, including highly sensitive information on federally regulated banks. The intrusion, which began in May 2023, went undetected until early 2025 and has resulted in major institutional and industry repercussions.

Timeline and Scope

  • May 2023: Attackers compromise an administrative account with broad access.
  • May 2023–Feb 2025: Over 150,000 emails and attachments accessed by threat actors, many containing sensitive bank data.
  • Feb 2025: Microsoft detects unusual network behavior and notifies OCC.
  • April 2025: OCC publicly discloses breach; major banks begin limiting information sharing with OCC.

Attack Vector and Detection

The breach was enabled by the compromise of an overprivileged administrative account lacking proper segmentation and monitoring. Notably, the OCC failed to detect the intrusion; Microsoft identified the breach in February 2025 through abnormal network activity.

Impact and Industry Response

  • Emails and attachments viewed by attackers included confidential information about the financial health of regulated banks.
  • OCC’s CIO warned that the exposure is “likely to result in demonstrable harm to public confidence.”
  • JPMorgan, BNY Mellon, and other major banks have limited data sharing with the OCC until security can be assured.

OCC Organizational Response

  • The OCC elevated its Information Technology and Security senior deputy comptroller to the executive team.
  • Merged the Midsize and Community Bank Supervision and Large Bank Supervision departments into a new Bank Supervision and Examination division.

Severity and Recommendations

  • Severity: High. The breach’s long dwell time, scope, and sensitivity of data present ongoing risks to the financial sector.
  • Recommendations:
    • Regulators: Enforce least-privilege access, invest in real-time monitoring, and conduct regular third-party security audits.
    • Financial Institutions: Limit sensitive data sharing with regulators until security is assured; monitor for targeted phishing or downstream attacks.

Sources

  1. BPInsights: April 19, 2025 – Bank Policy Institute
  2. Bloomberg: Hackers Spied on 100 Bank Regulators’ Emails for Over a Year
  3. Bloomberg: JPMorgan, BNY Limit Information Sharing With OCC After Hack

Related Articles

Topics

occ·data-breach·cybersecurity·financial-sector