OCC, Hertz, Conduent, and IIJ Hit by Cyberattacks, Compromising 150,000 Emails and 407 Million Users

Hackers accessed over 150,000 emails from at least 103 bank regulators at the Office of the Comptroller of the Currency (OCC), with the compromised messages dating back to June 2023. These emails contain highly sensitive financial information about the banks the OCC oversees. The breach, which lasted for more than a year, was discovered after Microsoft Corp.'s security team notified the OCC of unusual network behavior on February 11, 2025. The OCC confirmed unauthorized activity on its systems and subsequently notified Congress via a draft letter from OCC Chief Information Officer Kristen Baldwin, describing the incident as a 'major information security incident'. In response to the OCC hack, major banks such as JPMorgan and BNY Mellon have limited their information sharing with the regulator due to concerns over potential security risks to their own networks. Separately, Hertz Global Holdings Inc. disclosed a data breach involving driver's license numbers and other personal information, which occurred through a hack in its supply chain using zero-day vulnerabilities at a vendor, Cleo Communications US, identified in February. Conduent Inc., a business process services provider, reported a cyberattack in January, where a hacker accessed a limited portion of its systems and stole files containing personal data of a significant number of individuals connected to its clients. In Japan, Internet Initiative Japan Inc. (IIJ) announced that it had been subjected to a cyberattack, potentially leading to the leakage of email content and authentication information of approximately 4072650 email accounts across 6493 contracts using IIJ's Secure MX Service. The breach was detected on April 10, 2025, and affected data from August 3, 2024, onwards.