Lawmakers Demand Answers as CISA Tries to Contain Data Leak

Lawmakers on Capitol Hill are demanding answers from the U.S. Cybersecurity & Infrastructure Security Agency (CISA) following a report that a contractor intentionally exposed a significant amount of sensitive agency data, including AWS GovCloud keys, on a public GitHub account. The breach has prompted an inquiry from both houses of Congress as CISA works to mitigate the fallout and revoke the compromised credentials.
The incident came to light when a CISA contractor, who had administrative access to the agency's code development platform, created a public GitHub profile named "Private-CISA." This profile contained plaintext credentials for numerous internal CISA systems. Security experts who examined the repository noted that the contractor had disabled GitHub's built-in safeguards designed to prevent the accidental publication of sensitive information in public repositories.

While CISA has acknowledged the data leak, the agency has not provided details on how long the exposed information remained accessible. However, analysis of the now-removed "Private-CISA" archive suggests it was established in November 2025 and appeared to function as a personal workspace or synchronization tool for an individual rather than a formal project repository.
In response to the breach, CISA issued a statement asserting that there is no indication of sensitive data compromise as a result of the incident. However, this statement has not quelled concerns from lawmakers. Senator Maggie Hassan, in a letter to CISA's Acting Director Nick Andersen, expressed serious reservations about how such a security lapse could occur within an agency tasked with protecting against cyber threats. She highlighted the incident's implications for CISA's internal policies and procedures, particularly in the context of ongoing cybersecurity threats targeting U.S. critical infrastructure.
Echoing these concerns, Representative Bennie Thompson, ranking member of the House Homeland Security Committee, and Representative Delia Ramirez, ranking member of the Subcommittee on Cybersecurity and Infrastructure Protection, also communicated their worries to CISA leadership. They suggested the incident might reflect a weakened security culture or inadequate oversight of contractor support, noting that adversaries like China, Russia, and Iran actively seek access to federal networks. The information exposed in the "Private-CISA" repository, they argued, could provide a roadmap for such actors.

More than a week after CISA was initially alerted to the leak by the security firm GitGuardian, the agency was reportedly still in the process of invalidating and replacing many of the exposed keys and secrets. Dylan Ayrey, creator of the open-source tool TruffleHog, which detects secrets in code, reported that a critical RSA private key granting access to a CISA enterprise-owned GitHub app remained un-invalidated. This key, he explained, provided broad access to all code repositories within the CISA-IT organization, allowing an attacker to read source code, deploy malicious code, and alter repository settings. CISA stated it was coordinating with vendors to rotate and invalidate any identified leaked credentials.
Ayrey's company, Truffle Security, monitors public code platforms for exposed secrets. He noted that while his company uses GitHub's public feed of code commits to identify and alert affected parties, malicious actors also monitor this data stream for vulnerabilities. The "Private-CISA" repository exposed dozens of plaintext credentials to critical CISA GovCloud resources, with some of the most sensitive disclosures appearing to have occurred in late April 2026. Ayrey indicated that evidence suggests attackers also monitor these public data feeds.
Experts suggest that while organizations can implement top-down policies to prevent employees from disabling GitHub's security features for official repositories, preventing individuals from using personal accounts for unauthorized data storage remains a challenge. This type of incident, they noted, may represent a human element issue rather than a purely technical one, especially if the contractor's actions occurred outside of CISA's managed environment and visibility.





