Key US government body says it might have been breached, with thousands of employees affected

(Image credit: Cyberattack)

Thousands of US government employees may have had their private data stolen in a breach that happened within a third-party contractor.

Sometime during January 2024, CGI Federal, an IT services provider mostly focused on cybersecurity, suffered a data breach in which threat actors stole sensitive data belonging to about 6,600 employees of the U.S. Government Accountability Office (GAO), Reuters reports

The GAO is a non-partisan government agency that provides auditing, evaluative, and investigative services for the US Congress. It is described as “the supreme audit institution of the federal government of the United States”.

Confirmed attack

Following the incident, CGI Federal sent a breach notification letter to affected individuals, Reuters further reported. In the letter, the company said the attackers stole "names, social security numbers, addresses, and some banking information." To steal this information, the attackers exploited a vulnerability in an externally provided platform, the letter also said, without explaining further. 

The data breach was later confirmed to Nextgov by GAO spokesperson Charles Young: “On January 17 of this year, CGI Federal, a contractor involved in GAO’s financial management systems, notified GAO of a data breach impacting approximately 6,600 people, primarily current and former GAO employees from 2007 to 2017, as well as some companies doing business with GAO,” Young said. 

“GAO immediately took steps to begin identifying and notifying the impacted individuals regarding the release of PII (personally identifiable information),” the statement added. 

A CGI representative recently testified in front of the US Congress, during which they said the company provides IT protection for “100 participating agencies”, Reuters said. The representative further elaborated that the State, Justice, Commerce, and Labor departments, all used the company’s services, as well as the Federal Communications Commission (FCC) and the US State for International Development (USAID).

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.