The Office of the Comptroller of the Currency (OCC), a key US financial regulator, has notified Congress of a "major information security incident" involving unauthorised access to sensitive emails belonging to executives and employees.

The breach, first detected on 11 February, included "highly sensitive information relating to the financial condition of federally regulated financial institutions used in its examinations and supervisory oversight processes", according to the regulator's statement released on Tuesday.

Acting comptroller of the currency Rodney E. Hood said: "The confidentiality and integrity of the OCC's information security systems are paramount to fulfilling its mission. I have taken immediate steps to determine the full extent of the breach and to remedy the long-held organisational and structural deficiencies that contributed to this incident. There will be full accountability for the vulnerabilities identified and any missed internal findings that led to the unauthorised access."

The OCC, which regulates and supervises all national banks and federal savings associations as well as federal branches of foreign banks, confirmed that the breach was discovered when unusual interactions were observed between a system administrative account and OCC user mailboxes.

By 12 February, the agency had confirmed the activity was unauthorised and immediately activated incident response protocols, including disabling the compromised administrative accounts and reporting the incident to the Cybersecurity and Infrastructure Security Agency.

While the full impact assessment is ongoing, the OCC has enlisted third-party cybersecurity experts to review the investigation and forensics efforts. The agency also plans to conduct "an immediate and thorough evaluation" of its current IT security policies and procedures.

The OCC initially disclosed the incident on 26 February but did not at that time reveal the sensitive nature of the compromised information. At that stage, the agency indicated there was no evidence of any impact on the financial sector.

Throughout its review, the OCC has coordinated with the Department of the Treasury to share information about its findings, though the regulator has not identified who might be behind the hack or provided specific details about the vulnerabilities that were exploited.

---