Lawmakers Press CISA for Answers After Major Data Leak
Lawmakers in both the House and Senate are demanding explanations from the Cybersecurity and Infrastructure Security Agency (CISA) after revelations that a contractor publicly exposed sensitive agency credentials — including AWS GovCloud keys — on GitHub. The agency is still working to contain the fallout and revoke the leaked credentials.
The incident came to light after reporting showed that a CISA contractor with administrative access created a public GitHub account named “Private‑CISA”, where they uploaded plaintext credentials for numerous internal systems. Logs indicated the contractor had even disabled GitHub’s built‑in protections that normally prevent secret keys from being published.
CISA acknowledged the breach but has not clarified how long the data was exposed. Security researchers who reviewed the repository said it appeared to have been created in late 2025 and used informally as a personal workspace rather than an official project.
Congressional concern intensifies
Sen. Maggie Hassan (D‑NH) sent a letter to Acting CISA Director Nick Andersen, raising concerns about how such a lapse could occur at the nation’s lead cybersecurity agency. She noted that the breach comes at a time when CISA is already strained, having lost a significant portion of its workforce and senior leadership following forced departures during the Trump administration.
Rep. Bennie Thompson (D‑MS), ranking member of the House Homeland Security Committee, echoed those concerns. In a joint letter with Rep. Delia Ramirez (D‑IL), he warned that the leaked files effectively provided adversaries such as China, Russia, and Iran with a “roadmap” to infiltrate federal networks.
Keys still not revoked days later
Security firm GitGuardian initially alerted CISA to the leak, but more than a week later, many exposed credentials reportedly remained active.
Researcher Dylan Ayrey, creator of the secret‑scanning tool TruffleHog, said that as of May 20, CISA had still not revoked an RSA private key that granted broad access to the agency’s GitHub infrastructure. With that key, an attacker could read private repositories, manipulate CI/CD pipelines, and alter administrative settings.
CISA revoked the key only after being notified again — but other leaked credentials tied to critical systems still had not been rotated, according to Ayrey.
He also noted that cybercriminals routinely monitor GitHub’s public activity feed for exposed keys, meaning hostile actors likely saw the CISA secrets soon after they were posted.
Reward this post with your reaction or TipDrop:
Like
0
Dislike
0
Love
0
Funny
0
Angry
0
Sad
0
TipDrop
0










