Biden's OCC Breach Shows Who the Real Insider Threat Is

Originally posted at RealClear Markets.

One of the federal government’s top bank regulators just got caught leaving the vault wide open. The Office of the Comptroller of the Currency (OCC), a bureau within the Treasury Department, admitted that it was the victim of a massive data breach—one that lasted for nearly two years and began under the Biden administration. It’s a scandal that should shake public trust in regulatory oversight to its core.

While Biden officials were busy lecturing banks about cybersecurity, their regulators failed to follow the most basic protocols. The breach exposed two years of sensitive internal data about U.S. banks—information that, if exploited, could create serious vulnerabilities in the financial system. And it all reportedly began with a simple failure: an OCC employee didn’t use multifactor authentication. That rookie-level mistake gave hackers the keys to the agency’s email system.

This wasn’t a one-off glitch. The breach spanned nearly half of Biden’s term. Though full details are still emerging, the Treasury Department was also targeted by Chinese state-sponsored actors in late 2024, raising serious questions about whether foreign adversaries were once again behind this attack. The OCC only discovered the intrusion in the opening days of the new Trump administration. That timing is no coincidence.

Under Biden, regulators didn’t just fail to stop this breach—they didn’t even know it was happening.

While the OCC was leaking bank records to hackers, then-Acting Comptroller Michael Hsu was congratulating himself for how well banks handled the CrowdStrike outage that briefly disrupted global IT systems in 2024. In a public statement, he claimed that “supervisory efforts” by the OCC helped banks avoid major issues. The reality? Banks succeeded because of their cybersecurity investments, not because of anything the OCC was doing. The real cyber risk wasn’t in the banking sector at all—it was embedded deep inside the government’s systems.

This episode exposes more than just bad security—it reveals how dangerous Washington’s regulatory overreach has become. For years, the OCC has forced banks to hand over mountains of proprietary data through exhaustive examination processes. That data, once handed over, is stored by a government agency that just proved it can’t keep it safe. This isn’t just inefficient. It’s reckless.

Let’s be clear: Banks are already heavily regulated and are some of the most cybersecure institutions in the country. In 2022 alone, the U.S. banking industry spent over $200 billion on technology, much of it dedicated to cybersecurity. They have skin in the game. They protect customer data because failure isn’t an option. But when banks give their most sensitive internal data to the OCC, under legal mandate, they are relying on Washington to hold up its end of the bargain.

Biden’s OCC didn’t. It failed spectacularly.

Now, under the Trump administration, there’s a real opportunity to fix this mess. The OCC now reports to the Office of Management and Budget, led by my former boss, Russ Vought. He understands that bloated agencies with no accountability are a threat to both liberty and economic security. The OCC needs reform, starting with a complete overhaul of its examination process.

It’s time for the agency to stop demanding excessive data and instead adopt a “minimum necessary” model, a concept common in data privacy policy. Only collect what’s essential to assess financial health. The more data the OCC demands, the more it becomes a target—and a liability.

Regulators should be held to the same standards they impose on the private sector. If a bank had failed to implement multifactor authentication and were breached for two years, heads would roll. Fines would be issued. Shareholders would demand answers. The same accountability must apply to the government.

The OCC also needs to shift its focus back to its core purpose: ensuring the safety and soundness of the banking system. That means ditching political distractions and regulatory sprawl and concentrating on real financial risks, not micromanaging operations or harvesting every bit of internal bank data it can get its hands on.

There’s a lesson here: the greatest threat to the financial system isn’t just foreign hackers—it’s a government regulator that demands security perfection from the private sector while failing to follow its own rules.

If we want a secure financial system, we need secure regulators. Let the Trump administration finish what Biden’s couldn’t—or wouldn’t—do: clean house at the OCC, demand accountability, and restore a regulatory framework that protects, rather than endangers, America’s banks.
​
Because in the end, the biggest “insider threat” might just be the insiders in Washington.