Hackers Spied on US Bank Regulators’ Emails for Over a Year (1)

Hackers intercepted about 103 bank regulators’ emails for more than a year, gaining access to highly sensitive financial information, according to two people familiar with the matter and a draft letter to Congress seen by Bloomberg News.

The attackers were able to monitor employee emails at the Office of the Comptroller of the Currency after breaking into an administrator’s account, said the people, asking not to be identified because the information isn’t public. OCC on Feb. 12 confirmed that there had been unauthorized activity on its systems after a Microsoft Corp. security team the day before had notified OCC about unusual network behavior, according to the draft letter.

The OCC is an independent bureau of the Treasury Department that regulates and supervises all national banks, federal savings associations and the federal branches and agencies of foreign banks — together holding trillions of dollars in assets. OCC on Tuesday notified Congress about the compromise, describing it as a “major information security incident.”

“The analysis concluded that the highly sensitive bank information contained in the emails and attachments is likely to result in demonstrable harm to public confidence,” OCC Chief Information Officer Kristen Baldwin wrote in the draft letter to Congress that was seen by Bloomberg News.

While US government agencies and officials have long been the targets of state-sponsored espionage campaigns, multiple high-profile breaches have surfaced over the past year. In December, for instance, the Treasury revealed that Chinese state-sponsored hackers had breached their network through a third-party provider, giving them access to some unclassified documents and former Secretary Janet Yellen’s computer. It wasn’t immediately clear if the OCC breach was related, people familiar with the situation said.

Separately, a Chinese group known as Salt Typhoon is believed to have compromised nine US telecommunications carriers, targeting the phones of both US President Donald Trump and former Vice President Kamala Harris.

It’s unclear who is responsible for the breach at OCC. On Feb. 26, the OCC disclosed a “cybersecurity incident” involving an administrative account in the agency’s email system which it discovered that month. It identified a “limited number of affected email accounts” and said they have since been disabled.

The hackers penetrated the mailboxes of senior deputy comptrollers, international banking supervisors and other staff, said one of the people. In all, they had access to roughly 150,000 emails from May 2023 until they were discovered and ousted earlier this year, said the draft letter to Congress.

“Earlier this year, the OCC discovered unauthorized access to a limited number of its executives’ and employees’ emails that contain highly sensitive information relating to the financial condition of federally regulated financial institutions used in its examinations and supervisory oversight processes,” Baldwin said in the draft letter.

The incident was reported to the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency, and there was no indication of any impact on the financial sector “at this time,” OCC said in its initial disclosure. CISA operates as the cyber unit of the Department of Homeland Security, where it helps secure federal systems and shares information about digital threats with the public and private sector.

(Updated with additional context throughout.)

--With assistance from Daniel Flatley.

To contact the reporters on this story:
Margi Murphy in San Francisco at mmurphy500@bloomberg.net;
Jake Bleiberg in New York at jbleiberg2@bloomberg.net

To contact the editors responsible for this story:
Andrew Martin at amartin146@bloomberg.net

Jeff Stone

© 2025 Bloomberg L.P. All rights reserved. Used with permission.