The United States Government Accountability Office (GAO), the independent, nonpartisan government agency within the legislative branch that serves as a federal watchdog organization announced this week that it was alerted by an IT contractor of a cyber breach that occurred last month. CGI Federal notified the agency of the breach that may have affected about 6,000 current and former GAO employees.
GAO said in a statement the data involved personally identifiable information on employees including some people who worked there from 2007 to 2017. The data reportedly contained “names, social security numbers, addresses, and some banking information.”
According to the statement from the GAO, the breach had been conducted by a “threat actor exploiting a vulnerability in an externally provided platform.”
GAO continues to investigate the matter and said it would offer free identity theft monitoring services to affected individuals.
CGI Federal, a wholly-owned U.S. operating subsidiary of CGI Inc., is among the largest IT and business consulting services firms in the world. It has pivoted toward cybersecurity in recent years, — and now has contracts with the federal government, and is reported to provide IT protection for more than “100 participating agencies” and has provided cybersecurity services to the Departments of State, Justice, Commerce, and Labor, as well as the Federal Communications Commission and the United States Agency for International Development.
Last November, CGI announced that it was awarded a five-year contract from U.S. Strategic Command (USSTRATCOM) to develop and maintain data integration hardware, systems, and software across the command’s Global Data Integration (GDI) environment. CGI’s work will be performed at Offutt Air Force Base in Nebraska.
Just the Latest Cyber Attack
This is the latest employee data breach to target a federal agency, and it is far from the largest – and certainly not on the scale of the 2015 hack of the Office of Personnel Management, which affected about 22 million records connected to employees’ personal data, as well as information about their families.
This particular breach exploited the vulnerability in the Atlassian Confluence suite tool that is widely used throughout the federal government for IT and other employee-facing support services CGI Federal told Nextgov/FCW. The vulnerability was called out in an October 2023 Cybersecurity and Infrastructure Security Agency alert that warned of active exploitation of the tool. In December, Atlassian released security updates to address vulnerabilities affecting multiple products. Atlassian also warned customers with Confluence Data Center and Server instances accessible to the public Internet including with user authentication, to restrict external network access until it can upgraded.
Hackers Will Seek Out Weak Links in Security Chain
This latest security breach will likely serve as a reminder to all federal agencies and contractors to carefully monitor their respective networks, and to keep software up to date. However, security is still only as strong as its weakest link.
“Criminals will often go after a link in the chain, which means they may extract information about government employees not from the agency directly but from targeted contractor company,” Dave Ratner, CEO of cybersecurity software vendor HYAS, explained to ClearanceJobs via an email. “It’s just one more reason why everyone should be implementing cyber resiliency strategies immediately as part of their 2024 initiatives as these kinds of breaches, and worse, will continue to occur.”
Federal agencies will likely continue to be the targets of such attacks, in part due to the number of third parties involved.
“Public sector breaches facilitated through IT contractors, demonstrate the multifaceted nature of cybersecurity threats that the public sector faces,” warned Emily Phelps, vice president at cybersecurity provider Cyware.
“It highlights the urgent need for a modernized and proactive defense strategy, where collaboration and information sharing between agencies and their partners are paramount,” Phelps told ClearanceJobs via an email. “The concept of collective defense becomes particularly relevant here, emphasizing the idea that protecting one agency effectively contributes to the security of the entire public sector network.”
