Lawmakers Demand Answers as CISA Struggles to Contain Major Data Leak
Lawmakers from both chambers of Congress are pressing the U.S. Cybersecurity & Infrastructure Security Agency (CISA) for explanations following reports that a contractor associated with the agency disclosed sensitive AWS GovCloud keys and a significant amount of internal data on a public GitHub account. This inquiry emerges as CISA grapples with the ramifications of the breach and the challenge of revoking the compromised credentials.
Details of the Breach
On May 18, it was revealed that a CISA contractor with administrative access to the agency’s code development platform had established a public GitHub profile named “Private-CISA.” This profile contained plaintext credentials for numerous internal CISA systems. Experts analyzing the exposed data noted that the contractor had disabled GitHub’s built-in safeguards designed to prevent the publication of sensitive information in public repositories.
CISA has acknowledged the breach but has not clarified how long the sensitive data was exposed. Investigations into the now-defunct Private-CISA repository indicate that it was created in November 2025 and appeared to function as a personal workspace rather than a properly managed project repository.
In an official statement, CISA asserted that “there is no indication that any sensitive data was compromised as a result of the incident.” However, in a letter dated May 19 to CISA’s Acting Director Nick Andersen, Senator Maggie Hassan (D-NH) expressed serious concerns regarding the security lapse, questioning how such an incident could occur within an agency tasked with preventing cyber breaches.
“This reporting raises serious concerns regarding CISA’s internal policies and procedures at a time of significant cybersecurity threats against U.S. critical infrastructure,” Hassan stated.
Internal Disruptions at CISA
Senator Hassan highlighted that this incident is set against a backdrop of significant internal upheaval at CISA, which has reportedly lost over a third of its workforce and nearly all senior leadership following a series of early retirements and resignations initiated by the previous administration. This context raises questions about the agency’s capacity to manage cybersecurity effectively.
Representative Bennie Thompson (D-MS), the ranking member of the House Homeland Security Committee, echoed these concerns. In a letter co-signed by Representative Delia Ramirez (D-IL), Thompson pointed out that the incident reflects a weakened security culture within CISA and raises alarms about the agency’s ability to manage its contractors effectively. He noted that adversaries such as China, Russia, and Iran could exploit the information available in the Private-CISA repository.
Ongoing Response to the Leak
Reports indicate that more than a week after CISA was alerted to the data leak by the security firm GitGuardian, the agency is still working to invalidate and replace many of the exposed keys and secrets. Dylan Ayrey, the creator of TruffleHog—a tool designed to identify private keys and other sensitive information in public code repositories—reported that CISA had yet to invalidate an RSA private key that was exposed in the Private-CISA repository. This key provided access to a GitHub application owned by CISA, which could potentially allow an attacker to read source code from all repositories within the CISA-IT organization.
An attacker with this key could exploit vulnerabilities within the organization, including accessing private repositories, hijacking CI/CD pipelines, and modifying repository settings. CI/CD, which stands for Continuous Integration and Continuous Delivery, is a set of practices aimed at automating software development processes.
CISA has stated that it is actively coordinating with relevant parties to ensure that any identified leaked credentials are rotated and rendered invalid. However, concerns remain regarding the agency’s overall response and the effectiveness of its security protocols.
Implications for Cybersecurity
The incident has broader implications for the cybersecurity landscape, particularly in the context of how organizations manage sensitive information on platforms like GitHub. Ayrey noted that cybercriminals are vigilant in monitoring public feeds for exposed keys, making it crucial for organizations to implement stringent controls and practices to safeguard their data.
James Wilson, an enterprise technology editor for the Risky Business security podcast, emphasized that organizations can establish policies to prevent employees from disabling GitHub’s protections against publishing sensitive information. However, the challenge remains in preventing employees from using personal accounts to store sensitive data outside of organizational oversight.
“This is a human problem where you’ve hired a contractor to do this work and they have decided of their own volition to use GitHub to synchronize content from a work machine to a home machine,” Boileau remarked during a recent podcast discussion.
As CISA continues to address the fallout from this breach, the incident serves as a reminder of the vulnerabilities inherent in the management of sensitive data and the need for robust cybersecurity measures across all levels of government.
For further details on this incident, refer to the original reporting source: krebsonsecurity.com.
Keep reading for the latest cybersecurity developments, threat intelligence and breaking updates from across the Middle East.
