The Treasury Department’s Office of the Comptroller of the Currency (OCC) has notified Congress that a February 2025 breach of its email system has taken place. The cyberattack compromised over 150,000 emails from 103 bank regulators.
The OCC discovered unauthorized access to multiple executives’ and employees’ emails. These are said to have included highly sensitive information, such as the financial condition of federally regulated financial institutions.
The federal agency regulates and supervises all national banks and federal savings associations. In addition, the remit extends to the federal branches and agencies of foreign banks.
Looking at the issue for Digital Journal is Joshua Roback, Principal Security Solution Architect at Swimlane.
Roback begins by attempting to make sense of the situation and its impact: “While it’s difficult to know for sure if there is a tie between this breach and the Department of Treasury hack in December, there is a strong likelihood of correlation in some fashion. That doesn’t necessarily mean that hackers were able to move laterally from one network to another.”
There are vulnerabilities, however. According to Roback: “Early stages of the attack chain, like information gathering on OCC personnel, processes, and technology, may have been gathering during the Treasury breach in December.”
In terms of the reasons behind the attack, this might be more complex than first appears. Roback finds: “If the attack group has pure financial incentive, having sensitive information from the OCC can lead to a similar impact as insider trading. Private knowledge about financial institutions may facilitate front-running.”
On another scale: “In a nation-state scenario, this sensitive information can be used to improve negotiating positions between governments or government-supported businesses, resulting in the threat of intellectual property and even providing opportunities for financial fraud.”
This suggests are more subtle approach to data extraction. Roback says: 2Cyberattacks are not always noisy, smash-and-grab events like in the case of ransomware attacks. Threat actors (especially nation-state actors) generally will stay quiet on the network for extended monitoring and information gathering.”
This places strong emphasis upon defence. Roback advises: “It’s important to not only maintain preventative and detection controls, but also proactively hunt for threats and anomalies on the network.”
He adds: “Continuous assessment exercises like red teaming and purple teaming, as well as adopting a modern AI-driven automation strategy, are no longer optional given the growing sophistication of attacks.”
