CISA Credential Leak Raises Concerns
Congress is seeking answers from the Cybersecurity and Infrastructure Security Agency (CISA) regarding the reported public exposure of sensitive agency credential data on GitHub. The incident, discovered by security firm GitGuardian, exposed credentials for privileged AWS GovCloud accounts and internal CISA systems dating back to November.
A House Homeland Security Committee aide said the panel is seeking a staff-level briefing from CISA on the matter. Mississippi Rep. Bennie Thompson and Delia Ramirez, the top Democrat on the panel's cyber subcommittee, have demanded a briefing to learn about the security lapse, potential consequences, and corrective actions.
Incident Details
The repository, apparently maintained by a contractor at Nightwing, was named 'Private-CISA'. GitGuardian security researcher Guillaume Valadon said the leak was one of the worst he's ever seen, and his main fear is that a state actor will get the data and might be able to do bad stuff.
Valadon said that state-based attackers who obtained the credentials might be able to gain persistence, making it even worse than an attacker destroying everything. A Nightwing spokesperson referred questions to CISA.
Reactions and Concerns
Sen. Maggie Hassan, D-N.H., sent a letter to CISA's acting director, Nick Andersen, seeking a classified briefing to answer questions about the incident. She said the reported incident raises serious questions about CISA's internal policies and procedures.
Security professionals have voiced concern about the leak and the potential for abuse by malicious parties. Ben Harris, founder of WatchTowr, said the kind of exposure that happened for CISA is an unfortunately painful but common way that organizations inadvertently leak sensitive credentials to the wider web.
Dave Mitchell, senior director of threat intelligence at Infoblox, said the incident shows the importance of teams having controls and audits in place across their repositories. Travis Rosiek, public sector chief technology officer at Rubrik, noted that the timing of the issue aligned with the government shutdown that only recently resolved for DHS.
CISA Response
CISA said it was looking into what happened and that there is no indication that any sensitive data was compromised as a result of the incident. The agency is working to ensure additional safeguards are implemented to prevent future occurrences.
CISA has had other security incidents in the past, including recently. The former acting director of the agency endured criticism for uploading sensitive contract data to ChatGPT last year. In 2024, the agency notified Congress of a breach of a chemical plant security tool.
Mitigating Circumstances
Some researchers have said there are mitigating circumstances that make elements of the leak defensible or understandable. CISA acted swiftly to remove the repository once alerted to the leak. Human error can still make it difficult to entirely avoid incidents like this, even if CISA has the right policies in place.
Ben Harris said the reality is that cybersecurity is people, process, technology, and this happens every single day to different organizations, including cybersecurity companies. It's not ideal that it's even happened once, but the reality is that it's not exclusive to CISA.
Source: CyberScoop