The OCC hack leaves banks feeling under attack
The OCC suffered a major cybersecurity breach that remained undetected for a year, prompting backlash from major banks. The incident has intensified calls for stronger identity controls and secure communications systems.
Written by a human
In brief:
- The OCC has been the victim of a ‘major information security incident’ where hackers had access to more than 100 email accounts for over a year before identification
- Banks such as JP Morgan and BNY Mellon have halted sharing information electronically with the OCC as uncertainty around what data was exposed persists
- Regulators and banks must be vigilant and implement robust third-party solutions to avoid security breaches of this scale and sophistication
In what has been classed as a ‘major information security incident’ by the US Treasury, the Office of the Comptroller of the Currency (OCC) has dominated the compliance news cycle as a case of yet another U.S. government agency falling victim to a cybersecurity breach. Although the identity of the hackers remains unknown, the perpetrators were able to access over 100 email accounts and 150,000 emails from May 2023 until their detection and removal in the beginning of 2025.
The OCC is an independent bureau which oversees the regulation and supervision of over 1,000 national banks, federal savings associations and the U.S. branches of foreign banks. The length of time for which email accounts were exposed, paired with the highly sensitive nature of the data the OCC deals with, exacerbates the critical nature and scale of potential harm of the hack.
An OC(Sea) of breaches
Investigations are still underway, and the extent of the harm done to the financial sector is still to be uncovered. However, current findings reveal that the intrusion persisted for over a year and exposed confidential regulatory correspondence and documentation, including cybersecurity assessments, operational vulnerabilities, and classified materials such as National Security Letters, which often contain details around terrorism and espionage.
Although the breach was detected in February of 2025, banks that may have been impacted only discovered the full effect of the hack when the story became public and remain in the dark about the specific data that may have been compromised. Unsurprisingly this has led to banks such as JP Morgan and Bank of New York Mellon to scale back electronic information sharing with the OCC. A shared concern amongst banks is that stolen and exposed correspondence may include data that highlights weak cybersecurity systems, leaving them more susceptible to future attacks. If the regulator itself is unable to integrate strong security measures, then what hope is there for the banks it supervises?
Not only has this incident harmed public confidence in the regulator, but the lack of communication surrounding the impact of the hack has meant that trust has also been tarnished, signaling that communication and transparency is essential as the financial sector faces an evolving cybersecurity threat landscape. If the regulator itself demands transparency from banks and financial services when dealing with regulatory violations, then it must also do so. Much like the Oracle Cloud breach, organizations affected are still looking for answers as to what data may have been compromised. Both cases are clear examples of why firms must look to integrate third-party vendors that can aid investigations and that remove risk to data security.
OCC in need of OTT cybersecurity
There are a host of features that third-party vendors can provide for organizations and regulators to prevent cybersecurity threats and security walls from being penetrated.
Identity & Access Management: Firms must opt for solutions that allow them to control and monitor user access to communication systems, such as email, and ensure authorized personnel only. The breach may have been caused by compromised credentials or over-permissioned access and identity management could have limited this intrusion.
Compliant messaging platforms: Secure and compliant external communication platforms with built-in monitoring and archiving reduce reliance on ‘shadow IT’ and prevent vulnerability to hacks.
Real-time monitoring: Flagging of high-risk communication behavior through custom lexicons and alert systems for specific threat scenarios such as unusual login times, and keywords suggesting privilege misuse could ensure earlier detection of misconduct or bad actors.
Search and analytics tools: The ability to search across archived data for forensic audits and analyze communication trends to identify weaknesses and recurring policy violations aids post-breach investigations.
What happens next
If this breach has made one thing abundantly clear, it is that the financial industry and regulators must keep investing in data security to ensure they are ahead of any potential threats. As the OCC’s Acting Comptroller stated, the OCC is taking “immediate steps to determine the full extent of the breach and to remedy the long-held organizational and structural deficiencies that contributed to this incident. There will be full accountability for the vulnerabilities identified and any missed internal findings that led to the unauthorized access.”
The OCC has, therefore, identified and is aware of internal system weaknesses and is now looking to improve its r security systems to prevent any future harm. Arguably, if the regulator was better prepared from the start this could all be avoided, something they constantly urge firms to invest in too. As the saying goes “practice what you preach”.
Global Relay’s technology allows firms and regulators to capture and flag high-risk behavior before it becomes a problem and ensures sensitive data is only accessed by permitted users. Find out more about how our suite of surveillance products can best equip you to deal with the increasing challenges of an evolving cyber threat landscape.
