Lawmakers Seek Answers As CISA Tries to Contain Data Leaks – Krebs on Security

Lawmakers in both houses of Congress are seeking answers to US Cybersecurity & Infrastructure Security Agency (CISA) after KrebsOnSecurity reported this week that a CISA contractor intentionally published AWS GovCloud keys and dozens of agency secrets to the public. GitHub account. The investigation comes as CISA is still struggling to contain the breach and invalidate the leaked warrants.

On May 18, KrebsOnSecurity reported that a CISA contractor with administrative access to the agency’s code development environment had created a public GitHub profile named “Confidential – CISA” which included confidential information on many of CISA’s internal systems. Experts who reviewed the leaked secrets said the code repository’s responsibility logs showed that a CISA contractor had disabled GitHub’s built-in protections against publishing sensitive credentials in public areas.

CISA acknowledged the leak but did not answer questions about the timing of the data exposure. However, experts who reviewed the late Private-CISA archive say that it was originally created in November 2025, and it shows a pattern consistent with each user using the repository as an active scratchpad or synchronization method instead of a selected project repository.

In a written statement, CISA said there was “no indication that any sensitive information was compromised as a result of this incident.” But on May 19 a letter (PDF) to the Acting Director of CISA Nick Andersen, Sen. Maggie Hassan (D-NH) said the data leak raises serious questions about how such a security lapse could happen at the very agency charged with helping prevent cyber breaches.

“This report raises serious concerns about CISA’s internal policies and procedures at a time of major cybersecurity threats to US critical infrastructure,” wrote Sen. Hassan.

A May 19 letter from Sen. Margaret Hassan (D-NH) to the acting director of CISA seeks answers to many questions about the violation.

Sen. Hassan noted that the incident occurred due to a major disruption within CISA, which has lost more than a third of its staff and almost all of its top leaders after the Trump administration forced a series of early retirements, buyouts, and resignations at all levels of the agency.

Rep. Benny Thompson (D-MS), ranking member of the House Homeland Security Committee, echoed the senator’s concerns.

“We are concerned that this incident reflects a compromised security culture and/or CISA’s inability to properly manage its contract support,” Thompson wrote in a letter to CISA’s acting chief executive officer signed on May 19. Attorney Delia Ramirez (D-Ill), ranking member of the subcommittee on Cybersecurity and Infrastructure Protection. “It’s no secret that our adversaries – such as China, Russia, and Iran – want access and persistence in state networks. The files contained in the ‘Private-CISA’ archive provided information, access, and a road map to do just that.”

KrebsOnSecurity has learned that a week later CISA was first notified of the data breach by the security company. GitGuardianthe agency is still working to deactivate and replace many of the exposed keys and secrets.

On May 20, KrebsOnSecurity heard from Dylan Ayreycreator of The TruffleHogan open source tool for finding private keys and other secrets buried in code hosted on GitHub and other public forums. Ayrey said CISA had not yet created a private RSA key exposed in the Private-CISA repo that provides access to a GitHub application managed by a CISA business account and hosted on the CISA-IT GitHub organization with full access to all code repositories.

“An attacker with this key can read the source code from all repositories in the CISA-IT organization, including secret resides, register rogue actors to hijack CI/CD pipelines and repository secrets, and modify the repository’s administrative settings including branch protection rules, webhooks, and deployment keys,” Ayrey told KrebsOnSecurity. CI/CD stands for Continuous Integration and Continuous Delivery, and refers to a set of processes used to automate the building, testing and deployment of software.

KrebsOnSecurity notified CISA of Ayrey’s findings on May 20. Ayrey said CISA appears to have generated the exposed RSA secret key sometime after that notification. But he noted that CISA still hasn’t turned over leaked credentials tied to other key security technologies deployed in the agency’s technology portfolio (KrebsOnSecurity isn’t naming those technologies publicly yet).

CISA responded with a brief written statement in response to questions about Ayrey’s findings, saying “CISA is responding and coordinating with the appropriate agencies and vendors to ensure that any leaked credentials are replaced and made illegal and will continue to take appropriate actions to protect the security of our systems.”

Ayrey said his company Truffle Security monitors GitHub and other code platforms for exposed keys, and tries to warn affected accounts about the exposure of sensitive data. They can do this easily on GitHub because the platform publishes a live feed that includes a record of all commits and changes in public code repositories. But he said cybercriminals also monitor this public feed, and are often quick to pry at API or SSH keys that are unknowingly published in code.

The Private-CISA GitHub repo has exposed a wealth of confidential information on key CISA GovCloud resources.

In short, it is possible that cybercrime groups or foreign adversaries have also seen the publication of these CISA secrets, the worst of which appears to have happened in late April 2025, Ayrey said.

“We’re monitoring that data firehose to find the keys, and we have tools to try to find out who they are,” he said. “We have evidence the attackers are monitoring that firehose. Anyone monitoring GitHub events may be sitting on this information.”

James Wilsonbusiness technology editor for Risky Business security podcast, says organizations that use GitHub to manage code projects can set up policies that prevent employees from disabling GitHub’s protection against publishing private keys and credentials. But Wilson is his partner Adam Boileau he said it was unclear whether any technology would prevent employees from opening their GitHub account and using it to store sensitive and proprietary information.

“Ultimately, this is something you can’t solve with technological control,” Boileau said on this week’s podcast. “This is a problem for people where you hire a contractor to do this work and they decide of their own accord to use GitHub to sync content from a work machine to a home machine. I don’t know what technical controls you can take given that this is being done outside of anything CISA owns or has any visibility into.”

Update, 3:05 pm ET: Added statement from CISA.