LAWMAKERS are pressing the U.S. Cybersecurity & Infrastructure Security Agency (CISA) for answers regarding a serious data breach involving a contractor who posted sensitive agency information, including AWS GovCloud keys, on a public GitHub account named 'Private-CISA'. The breach, revealed by KrebsOnSecurity, occurred when the contractor disabled GitHub's protections against publishing sensitive information. CISA has acknowledged the leak but has not confirmed how long the data was exposed.
Senator Maggie Hassan raised concerns over CISA's response and management of internal policies, especially after significant staffing changes at the agency. Experts warn that the exposed credentials could grant malicious actors access to CISA’s systems. CISA is still attempting to invalidate the leaked credentials more than a week after being notified by GitGuardian.