Lawmakers Demand Answers from CISA Following Major Security Breach
Lawmakers in both houses of Congress are seeking clarity from the U.S. Cybersecurity & Infrastructure Security Agency (CISA) after a shocking revelation by KrebsOnSecurity. It was reported this week that a CISA contractor intentionally leaked AWS GovCloud keys and a considerable amount of sensitive agency information onto a public GitHub account. This situation raises critical concerns as CISA grapples with the fallout of this breach and the urgent need to nullify the exposed credentials.
The Leak That Shook CISA
On May 18, KrebsOnSecurity disclosed that a contractor with administrative access to CISA’s code development platform had created a public GitHub profile named “Private-CISA.” This account reportedly included plaintext credentials for multiple internal CISA systems. Experts examining the leak found evidence that the contractor had deliberately disabled GitHub’s protective features designed to prevent the publication of sensitive credentials in public repositories.
CISA confirmed the existence of the leak but has thus far provided limited information regarding how long the data was publicly accessible. It is believed that this public repository was established as early as November 2025, suggesting it may have been used more like a personal scratchpad rather than for any broader project purposes.
Lawmaker Concerns About Cybersecurity Standards
In a written statement, CISA asserted, “there is no indication that any sensitive data was compromised as a result of the incident.” However, the response did little to quell the concerns raised by lawmakers. Senator Maggie Hassan (D-NH), in a May 19 letter to CISA’s Acting Director Nick Andersen, highlighted the gravity of the situation and questioned how such a significant lapse in security could occur within an agency tasked with preventing cyber breaches. She stressed that this incident raises serious doubts about CISA’s internal policies and readiness amidst growing cybersecurity threats to U.S. critical infrastructure.
Internal Struggles within CISA
Senator Hassan noted the troubling context of this incident, which coincides with substantial internal challenges at CISA. The agency has reportedly lost over a third of its workforce and a majority of its senior leadership following a series of early retirements, buyouts, and resignations instigated during the Trump administration. This upheaval raises further questions about the capacity of CISA to manage its cybersecurity responsibilities effectively.
Echoing Hassan’s sentiments, Rep. Bennie Thompson (D-MS), the ranking member on the House Homeland Security Committee, expressed his apprehension about CISA’s security culture. In a co-signed letter with Rep. Delia Ramirez (D-Ill), he emphasized the risks posed by foreign adversaries that could exploit the exposed credentials to gain unauthorized access to federal networks.
Ongoing Threats and Inadequate Responses
Reports indicate that weeks after CISA was notified of the data leak by GitGuardian, the agency is still working to invalidate and replace exposed keys and other sensitive secrets. Concerns escalated when security expert Dylan Ayrey, creator of the tool TruffleHog, revealed that CISA had not yet invalidated an RSA private key discovered in the Private-CISA repository. Ayrey underscored the potential damage an attacker could inflict using this exposed key, including accessing code repositories holding vital information and modifying repository settings.
CISA acknowledged these findings and assured they were collaborating with relevant parties to secure their systems. However, lingering fears about broader vulnerabilities persist, given that the agency has not yet rotated leaked credentials tied to other critical security technologies.
The Risks of Public Repositories
KrebsOnSecurity has continually highlighted the dangers associated with public coding platforms like GitHub. These platforms actively publish a live feed of all repository changes, making it effortless for cybercriminals to monitor for leaked keys and secrets. Ayrey confirmed that malicious actors are likely aware of and monitoring CISA’s exposed data, heightening concerns of potential exploitation.
Cultural and Technical Safeguards
Expert commentators on cybersecurity have pointed to a fundamental disconnect between technology and human oversight. While organizations can establish policies to prevent unauthorized usage of public repositories, it is challenging to control personal accounts created by contractors. Discussions on risk mitigation focus on the need for a robust security culture and compliance from all employees to prevent similar incidents.
Looking Ahead
As lawmakers press for accountability and concrete actions from CISA, the ramifications of this breach extend beyond internal policies. The need for a comprehensive strategy to secure sensitive government data from leaks and unauthorized access is paramount, especially considering escalating threats from cyber adversaries. The incident underscores a critical moment for CISA, but it also serves as a reminder for organizations everywhere to reassess their cybersecurity practices in a landscape fraught with potential vulnerabilities.