A recent investigation has revealed that three major hacks of the U.S. Treasury Department in the past five years were directly linked to failures in deploying basic cybersecurity measures that could have either prevented the attacks or detected them much sooner. These incidents have exposed persistent vulnerabilities within the agency responsible for safeguarding the integrity of the U.S. financial system, raising significant concerns among both regulators and the banking sector.
Key Findings from the Investigation
In all three incidents, the Treasury did not implement cybersecurity controls that are widely regarded as industry standard and could have either blocked the attacks or flagged the intruders early on. Two of the three major hacks became public since December 2024. One involved a sophisticated supply chain attack by Chinese state-backed hackers who exploited vulnerabilities in BeyondTrust, a third-party privileged access management (PAM) service used by the Treasury. This attack compromised at least 419 Treasury computers and resulted in the theft of more than 3,000 unclassified files, including documents belonging to top officials.
In another case, attackers gained access to the Office of the Comptroller of the Currency’s (OCC) email system for over a year, accessing more than 103 email accounts and 150,000 emails containing sensitive regulatory information. The breach went undetected due to weaknesses in perimeter defenses and lack of robust monitoring.
Treasury officials and independent experts have attributed these breaches to long-standing organizational and structural deficiencies, including understaffed cybersecurity leadership and outdated security protocols. The Treasury’s reliance on third-party vendors with insufficient oversight or enforcement of security standards played a critical role in the breaches. For example, the BeyondTrust hack exploited known vulnerabilities (CVE-2024-12356 and CVE-2024-12686) that could have been mitigated with timely patching and stricter access controls.
Consequences and Response
The breaches have deepened mistrust between the Treasury and the financial institutions it oversees, as banks are now increasingly concerned about the security of sensitive regulatory data. In response, the Biden administration issued an executive order mandating stricter cybersecurity standards for all federal contractors and requiring a “U.S. Cyber Trust Mark” for government-purchased products starting in 2027.
The Treasury Department has launched internal and third-party reviews of its security policies and is considering a shift toward a “zero trust” security model, which would limit access to sensitive data and require continuous monitoring and verification of user identities.
What the experts think
Security professionals have described the exploited vulnerabilities as “unreasonable” and indicative of lapses in basic cyber hygiene, such as failure to patch known flaws, enforce least-privilege access, and encrypt sensitive communications. The incidents underscore the urgent need for federal agencies to modernize their cybersecurity posture and enforce best practices across all systems and vendors.
