Yesterday, in a breach notification letter seen by Reuters, the U.S. Government Accountability Office said that one of its IT contractors, CGI Federal, notified the agency of a data breach last month affecting the PII of about 6,000 GAO employees that worked between 2007 to 2017.
CGI Group, the information systems and management consultancy, has shifted to cybersecurity in recent years, and said in a congressional testimony that it provides IT protection for “100 participating agencies” including the State, Justice, Commerce, and Labor departments, as well as the FCC and the US Agency for International Development.
The notification letter said that the threat actor exploited a “vulnerability in an externally provided platform” and the data exposed included:
- Names
- SSNs
- Addresses
- Banking information
A GAO spokesperson said the agency was notified about the breach on Jan. 17 but provided few other details.
Emily Phelps, VP, Cyware had this comment:
“Public sector breaches facilitated through IT contractors, demonstrate the multifaceted nature of cybersecurity threats that the public sector faces. It highlights the urgent need for a modernized and proactive defense strategy, where collaboration and information sharing between agencies and their partners are paramount. The concept of collective defense becomes particularly relevant here, emphasizing the idea that protecting one agency effectively contributes to the security of the entire public sector network.”
Dave Ratner, CEO, HYAS follows with this comment:
“Criminals will often go after a link in the chain, which means they may extract information about government employees not from the agency directly but from targeted contractor company. It’s just one more reason why everyone should be implementing cyber resiliency strategies immediately as part of their 2024 initiatives as these kinds of breaches, and worse, will continue to occur.”
When a cybersecurity company gets pwned, that’s bad. But when a customer gets pwned, that’s worse. This truly isn’t a great day for CGI Federal.
Related
This entry was posted on February 13, 2024 at 3:55 pm and is filed under Commentary with tags Hacked. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
GAO Notifies Employees Of A Breach Of CGI Federal That Affects Them
Yesterday, in a breach notification letter seen by Reuters, the U.S. Government Accountability Office said that one of its IT contractors, CGI Federal, notified the agency of a data breach last month affecting the PII of about 6,000 GAO employees that worked between 2007 to 2017.
CGI Group, the information systems and management consultancy, has shifted to cybersecurity in recent years, and said in a congressional testimony that it provides IT protection for “100 participating agencies” including the State, Justice, Commerce, and Labor departments, as well as the FCC and the US Agency for International Development.
The notification letter said that the threat actor exploited a “vulnerability in an externally provided platform” and the data exposed included:
A GAO spokesperson said the agency was notified about the breach on Jan. 17 but provided few other details.
Emily Phelps, VP, Cyware had this comment:
“Public sector breaches facilitated through IT contractors, demonstrate the multifaceted nature of cybersecurity threats that the public sector faces. It highlights the urgent need for a modernized and proactive defense strategy, where collaboration and information sharing between agencies and their partners are paramount. The concept of collective defense becomes particularly relevant here, emphasizing the idea that protecting one agency effectively contributes to the security of the entire public sector network.”
Dave Ratner, CEO, HYAS follows with this comment:
“Criminals will often go after a link in the chain, which means they may extract information about government employees not from the agency directly but from targeted contractor company. It’s just one more reason why everyone should be implementing cyber resiliency strategies immediately as part of their 2024 initiatives as these kinds of breaches, and worse, will continue to occur.”
When a cybersecurity company gets pwned, that’s bad. But when a customer gets pwned, that’s worse. This truly isn’t a great day for CGI Federal.
Share this:
Like this:
Related
This entry was posted on February 13, 2024 at 3:55 pm and is filed under Commentary with tags Hacked. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.